molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
main
molecule-core/.github/workflows/promote-latest.yml
dependabot[bot] 6c6c6eb1e8
chore(deps)(deps): bump imjasonh/setup-crane from 0.4 to 0.5 
Bumps [imjasonh/setup-crane](https://github.com/imjasonh/setup-crane) from 0.4 to 0.5.
- [Release notes](https://github.com/imjasonh/setup-crane/releases)
- [Commits](31b88efe9d...6da1ae0188)

---
updated-dependencies:
- dependency-name: imjasonh/setup-crane
  dependency-version: '0.5'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-02 19:23:13 +00:00

86 lines
2.9 KiB
YAML
Raw Permalink Blame History

name: promote-latest
# Manually retag ghcr.io/molecule-ai/platform:staging-<sha> → :latest
# (and the same for the tenant image). Use this to:
#
# 1. Promote a :staging-<sha> to prod before the canary fleet is live
# (one-off during the initial rollout).
# 2. Roll back :latest to a prior known-good digest after a bad
# promotion slipped past canary (use scripts/rollback-latest.sh
# for a local / emergency path; this workflow is for scheduled
# or from-browser promotions).
#
# Running this workflow needs no extra secrets — GitHub's default
# GITHUB_TOKEN has write:packages for repo-owned GHCR images, which
# is all we need for a remote retag via `crane tag`.
on:
workflow_dispatch:
inputs:
sha:
description: 'Short sha to promote (e.g. 4c1d56e). Must match an existing :staging-<sha> tag.'
required: true
type: string
permissions:
contents: read
packages: write
env:
IMAGE_NAME: ghcr.io/molecule-ai/platform
TENANT_IMAGE_NAME: ghcr.io/molecule-ai/platform-tenant
jobs:
promote:
runs-on: ubuntu-latest
steps:
- uses: imjasonh/setup-crane@6da1ae018866400525525ce74ff892880c099987 # v0.5
- name: GHCR login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" \
| crane auth login ghcr.io -u "${{ github.actor }}" --password-stdin
- name: Retag platform image
run: |
set -eu
SRC="${IMAGE_NAME}:staging-${{ inputs.sha }}"
if ! crane digest "$SRC" >/dev/null 2>&1; then
echo "::error::$SRC not found in registry — double-check the sha."
exit 1
fi
EXPECTED=$(crane digest "$SRC")
crane tag "$SRC" latest
ACTUAL=$(crane digest "${IMAGE_NAME}:latest")
if [ "$ACTUAL" != "$EXPECTED" ]; then
echo "::error::retag digest mismatch (expected $EXPECTED, got $ACTUAL)"
exit 1
fi
echo "OK ${IMAGE_NAME}:latest → $ACTUAL"
- name: Retag tenant image
run: |
set -eu
SRC="${TENANT_IMAGE_NAME}:staging-${{ inputs.sha }}"
if ! crane digest "$SRC" >/dev/null 2>&1; then
echo "::error::$SRC not found — tenant image may not have built for this sha."
exit 1
fi
EXPECTED=$(crane digest "$SRC")
crane tag "$SRC" latest
ACTUAL=$(crane digest "${TENANT_IMAGE_NAME}:latest")
if [ "$ACTUAL" != "$EXPECTED" ]; then
echo "::error::tenant retag digest mismatch"
exit 1
fi
echo "OK ${TENANT_IMAGE_NAME}:latest → $ACTUAL"
- name: Summary
run: |
{
echo "## :latest promoted to staging-${{ inputs.sha }}"
echo
echo "Both platform + tenant images retagged. Prod tenants"
echo "will auto-pull within their 5-min update cycle."
} >> "$GITHUB_STEP_SUMMARY"
Reference in New Issue View Git Blame Copy Permalink