1 changed files with 71 additions and 0 deletions
@@ -449,6 +449,42 @@ jobs:
          fi
          cp "$HTTP_RESPONSE" "$RUNNER_TEMP/redeploy-response.json"

+      # Auto-bump the CONCIERGE platform-agent image pin (the redeploy-fleet above
+      # only rolls the tenant image; kind=platform concierges resolve their image
+      # from runtime_image_pins('platform-agent') — core#2495). Promoting the pin
+      # ALSO triggers a WorkspaceRedeployer for kind=platform (pin_runtime_image.go),
+      # so concierges auto-roll onto the new identity-baked image. Without this the
+      # molecule-platform-agent image builds but never reaches concierges (#2919/#2955).
+      - name: Promote platform-agent image pin (staging) + auto-roll concierges
+        env:
+          PLATFORM_AGENT_IMAGE_NAME: ${{ env.PLATFORM_AGENT_IMAGE_NAME }}
+          TAG_SHA: staging-${{ github.sha }}
+          GIT_SHA: ${{ github.sha }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: us-east-2
+        run: |
+          set -euo pipefail
+          if [ -z "${CP_STAGING_ADMIN_API_TOKEN:-}" ]; then
+            echo "::error::cannot promote platform-agent pin — CP_STAGING_ADMIN_API_TOKEN missing"; exit 1
+          fi
+          DIGEST=$(aws ecr describe-images --region us-east-2 \
+            --repository-name molecule-ai/molecule-platform-agent \
+            --image-ids imageTag="${TAG_SHA}" \
+            --query 'imageDetails[0].imageDigest' --output text 2>/dev/null)
+          if [ -z "$DIGEST" ] || [ "$DIGEST" = "None" ]; then
+            echo "::error::could not resolve molecule-platform-agent:${TAG_SHA} digest (build did not push?)"; exit 1
+          fi
+          IMAGE_DIGEST="${PLATFORM_AGENT_IMAGE_NAME}@${DIGEST}"
+          BODY=$(jq -nc --arg t "platform-agent" --arg img "$IMAGE_DIGEST" --arg sha "$GIT_SHA" \
+            '{template_name:$t, region:"global", image_digest:$img, git_sha:$sha, notes:"auto-bump from publish-workspace-server-image"}')
+          echo "POST $CP_URL/cp/admin/runtime-image/promote  (platform-agent → ${IMAGE_DIGEST})"
+          CODE=$(curl -sS -o /tmp/promote.json -w '%{http_code}' -m 300 \
+            -H "Authorization: Bearer $CP_STAGING_ADMIN_API_TOKEN" -H "Content-Type: application/json" \
+            -X POST "$CP_URL/cp/admin/runtime-image/promote" -d "$BODY" || echo 000)
+          echo "HTTP $CODE: $(cat /tmp/promote.json 2>/dev/null | head -c 300)"
+          [ "$CODE" = "200" ] || [ "$CODE" = "201" ] || { echo "::error::platform-agent pin promote failed (HTTP $CODE)"; exit 1; }
+
      - name: Verify each staging tenant /buildinfo matches published SHA
        env:
          EXPECTED_SHA: ${{ github.sha }}
@@ -696,6 +732,41 @@ jobs:
            exit "$ROLLOUT_EXIT"
          fi

+      # Auto-bump the CONCIERGE platform-agent image pin to prod (the redeploy-fleet
+      # above only rolls the tenant image; kind=platform concierges resolve their
+      # image from runtime_image_pins('platform-agent') — core#2495). Promoting the
+      # pin ALSO triggers a WorkspaceRedeployer for kind=platform (pin_runtime_image.go),
+      # so concierges auto-roll onto the identity-baked image. This is the prod half
+      # of true auto-bump for the concierge image (#2919/#2955).
+      - name: Promote platform-agent image pin (prod) + auto-roll concierges
+        if: ${{ steps.plan.outputs.enabled == 'true' && steps.supersede.outputs.superseded != 'true' }}
+        env:
+          PLATFORM_AGENT_IMAGE_NAME: ${{ env.PLATFORM_AGENT_IMAGE_NAME }}
+          TAG_SHA: staging-${{ github.sha }}
+          GIT_SHA: ${{ github.sha }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: us-east-2
+        run: |
+          set -euo pipefail
+          [ -z "${CP_ADMIN_API_TOKEN:-}" ] && { echo "::error::CP_ADMIN_API_TOKEN missing for platform-agent promote"; exit 1; }
+          DIGEST=$(aws ecr describe-images --region us-east-2 \
+            --repository-name molecule-ai/molecule-platform-agent \
+            --image-ids imageTag="${TAG_SHA}" \
+            --query 'imageDetails[0].imageDigest' --output text 2>/dev/null)
+          if [ -z "$DIGEST" ] || [ "$DIGEST" = "None" ]; then
+            echo "::error::could not resolve molecule-platform-agent:${TAG_SHA} digest (build did not push?)"; exit 1
+          fi
+          IMAGE_DIGEST="${PLATFORM_AGENT_IMAGE_NAME}@${DIGEST}"
+          BODY=$(jq -nc --arg t "platform-agent" --arg img "$IMAGE_DIGEST" --arg sha "$GIT_SHA" \
+            '{template_name:$t, region:"global", image_digest:$img, git_sha:$sha, notes:"auto-bump from publish-workspace-server-image (prod)"}')
+          echo "POST $CP_URL/cp/admin/runtime-image/promote  (platform-agent → ${IMAGE_DIGEST})"
+          CODE=$(curl -sS -o /tmp/promote-prod.json -w '%{http_code}' -m 300 \
+            -H "Authorization: Bearer $CP_ADMIN_API_TOKEN" -H "Content-Type: application/json" \
+            -X POST "$CP_URL/cp/admin/runtime-image/promote" -d "$BODY" || echo 000)
+          echo "HTTP $CODE: $(cat /tmp/promote-prod.json 2>/dev/null | head -c 300)"
+          [ "$CODE" = "200" ] || [ "$CODE" = "201" ] || { echo "::error::prod platform-agent pin promote failed (HTTP $CODE)"; exit 1; }
+
      - name: Verify reachable tenants report this SHA
        # Skip when superseded BEFORE rollout: the redeploy step did not run, so
        # there is no redeploy-fleet response to verify against and the newer job