From 2592b5680b1095eb169660bc2dee4053f1341726 Mon Sep 17 00:00:00 2001 From: Jonathon Wright Date: Wed, 17 Jun 2026 23:02:27 +1000 Subject: [PATCH] ci(bump-digest): bound PR-open curl + make it non-fatal so runs go green The branch push is the deploy artifact; opening the PR is best-effort. Previously a no-timeout curl to the private Gitea API tripped split-horizon DNS from the runner, hanging the step ~10min then failing the whole run. Now: --connect-timeout 10 --max-time 30, failure is logged non-fatally, exit 0. --- scripts/bump-digest.sh | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/scripts/bump-digest.sh b/scripts/bump-digest.sh index 88bd859..8648a13 100755 --- a/scripts/bump-digest.sh +++ b/scripts/bump-digest.sh @@ -48,18 +48,28 @@ git config user.email "ci@bztmon.com" git commit -am "bztmon-site: deploy ${TAG}" git push origin "${BRANCH}" -# --- PR (never auto-merge) ------------------------------------------------- -# Default (least-privilege): just push the branch — Jonathon opens+merges the PR (the approval -# gate + the ArgoCD trigger). Only auto-open a PR if a GITEA_TOKEN is provided. -# NB: use a dedicated var name (NOT GITEA_TOKEN) — Gitea auto-injects GITEA_TOKEN into every job, -# which would wrongly trigger this against the private instance. Default path just pushes the branch. +# --- PR (never auto-merge; BEST-EFFORT) ------------------------------------ +# The branch push above IS the deploy artifact — the rollout is ready regardless of the PR. +# Opening the PR is pure convenience and must NEVER hang or fail the job. (It used to: a +# no-timeout curl to the PRIVATE Gitea API tripped split-horizon DNS from the runner and hung +# the step for ~10min before failing the whole run.) So: bound the curl, treat any failure as +# non-fatal, and always exit 0 — a green run means "image built + bump branch pushed". +# NB: dedicated var name (NOT GITEA_TOKEN) — Gitea auto-injects GITEA_TOKEN into every job. +PR_URL="https://gitea.bztmon.org/jwrong96/home-ops/compare/main...${BRANCH}" if [[ -n "${HOMEOPS_PR_TOKEN:-}" ]]; then - curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \ - -H "Authorization: token ${HOMEOPS_PR_TOKEN}" \ - -H "Content-Type: application/json" \ - -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}" - echo ">> PR opened for ${BRANCH}" + if curl -fsS --connect-timeout 10 --max-time 30 -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \ + -H "Authorization: token ${HOMEOPS_PR_TOKEN}" \ + -H "Content-Type: application/json" \ + -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"; then + echo ">> PR opened for ${BRANCH}" + else + echo ">> WARNING: PR auto-open failed/unreachable (non-fatal) — branch is pushed, open it manually:" + echo ">> ${PR_URL}" + fi else echo ">> branch ${BRANCH} pushed (image ${REF})." - echo ">> open the PR to roll out: https://gitea.bztmon.org/jwrong96/home-ops/compare/main...${BRANCH}" + echo ">> open the PR to roll out: ${PR_URL}" fi + +# The deploy artifact (the bump branch) is pushed — the optional PR step never reds the run. +exit 0