Skip to content

DEVEX-1653: add rt_mode to build-php-v1 orchestrator#137

Merged
pdodgen-revparts merged 1 commit into
mainfrom
DEVEX-1653-build-orchestrator-rt-mode
Jul 1, 2026
Merged

DEVEX-1653: add rt_mode to build-php-v1 orchestrator#137
pdodgen-revparts merged 1 commit into
mainfrom
DEVEX-1653-build-orchestrator-rt-mode

Conversation

@pdodgen-revparts

Copy link
Copy Markdown
Contributor

Description

Adds an rt_mode: boolean input to the shared build-php-v1 orchestrator. When true (caller triggers on rt-* refs), the orchestrator routes through encodium/actions' _compute-rt-tag composite to push the rt rc tag and create the GH pre-release atomically up front; build then consumes that tag. When false (default) behavior is identical to today.

Related PRs:

Jira Issue: https://revolutionparts.atlassian.net/browse/DEVEX-1653

Background

Release Train v2 (DEVEX-1579) ships images tagged vX.Y.Z-rc.<YYYY-MM-DD>.<iter> from per-train rt-<YYYY-MM-DD> branches. The pilot (listings-url-service#89) proved the inline pattern works, but copying ~80 lines of rt-build logic into every consuming app's Build.yaml would mean 4 near-identical inline jobs to maintain (internal_api, rp_api, listings-url-service, license_api).

By teaching build-php-v1 about rt mode, Phase 3 per-repo PRs become a few lines: a second rt-build job that calls the orchestrator with rt_mode: true and a different images JSON (no extra_tag: latest for rt builds). Tag-emission logic and GH Release creation stay in one place — the composite action.

The non-rt path is preserved verbatim. The two paths are mutually exclusive at job level (if: ${{ !inputs.rt_mode }} vs if: ${{ inputs.rt_mode }}); build waits on both with always() && (success of either) and selects the active tag via ||.

Scope of this PR (and what's deferred):

  • build-php-v1.yaml: extended.
  • ⏭️ build-php-laravel.yaml: intentionally not extended here. The Laravel worker hardcodes :latest / :webserver-latest / :cli-latest across 6 build jobs — safely supporting rt mode there requires an omit_latest_tag input plumbed through the worker. That's a separate, larger PR. Among Phase 3 apps only returns-api consumes the Laravel orchestrator; it can use an inline rt-build path (matching the pilot) in the interim.
  • ⏭️ accounts-api calls php-laravel-build-push.yaml directly (not the Laravel orchestrator) and catalog_api is fully inline — both will use inline rt-build paths in Phase 3.

Caller responsibilities

For an rt-build job calling this orchestrator with rt_mode: true:

  • Gate on if: startsWith(github.ref, 'refs/heads/rt-')
  • permissions: { contents: write } on the calling job (propagates into compute-rt-tag)
  • Pass a token with contents:write via secrets.gh_token (the pilot uses REPO_WRITE_PAT)
  • Use a separate images JSON without extra_tag: latest — rt builds shouldn't move :latest

Testing Information

  • YAML syntax: lint-clean.
  • Behavioral diff on non-rt path: zero. calculate-tagbuildtag-and-release chain runs identically; the only addition (compute-rt-tag) is gated on rt_mode == true and stays skipped.
  • End-to-end rt path: validated in the sandbox rt-99 train against the foundational composite action prior to this PR. This PR is a packaging refactor — same composite, same emitted tag, called from one place instead of inlined per-repo.
  • No-op on existing consumers: internal_api, rp_api, returns-api, license_api, listings-url-service all call this workflow without specifying rt_mode; the default (false) preserves their current behavior.

Phase 3 follow-up PRs (one per consuming repo) will exercise rt_mode end-to-end before any per-repo merge.

When rt_mode=true (caller triggers on rt-* refs), the orchestrator:
- skips mathieudutour's dry-run + final tag-and-release jobs
- adds a compute-rt-tag job that calls encodium/actions'
  _compute-rt-tag composite to push the rt rc tag and create the
  GH pre-release atomically up front
- routes build at matrix-time to consume that tag

Non-rt callers see no behavior change (rt_mode defaults to false).

The shared output 'tag' now resolves from whichever path ran. Skipped
jobs return empty-string outputs in GitHub Actions, so the '||' guard
picks the active path's tag without further gating.

Caller responsibilities (per DEVEX-1653):
- gate the rt-build job on startsWith(github.ref, 'refs/heads/rt-')
- grant 'permissions: contents: write' to that job
- pass a token with contents:write via secrets.gh_token

DEVEX-1653
@cursor

cursor Bot commented Jun 23, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes shared release orchestration and adds a path that pushes tags and creates GitHub releases with write permissions; default rt_mode false limits blast radius for current consumers.

Overview
Adds optional rt_mode (default false) to the reusable build-php-v1 workflow so Release Train builds can share one orchestrator instead of per-repo inline jobs.

When rt_mode: true, the workflow skips the existing mathieudutour dry-run / tag-and-release tail and runs a new compute-rt-tag job that calls encodium/actions_compute-rt-tag composite (with contents: write) to push the rt rc tag and create the GitHub pre-release up front. build then tags images from that output. When rt_mode: false, the calculate-tagbuildtag-and-release chain is unchanged aside from gating.

build now depends on both tag jobs and uses always() plus a success check on whichever path ran; the image tag input and workflow outputs.tag use || to pick the active job’s tag. Callers on rt branches must pass a write-capable token and avoid extra_tag: latest in their images matrix.

Reviewed by Cursor Bugbot for commit 7a67e2e. Bugbot is set up for automated code reviews on this repo. Configure here.

@pdodgen-revparts pdodgen-revparts marked this pull request as ready for review June 25, 2026 21:16
@pdodgen-revparts pdodgen-revparts requested a review from a team as a code owner June 25, 2026 21:16
@pdodgen-revparts pdodgen-revparts merged commit 0b0684f into main Jul 1, 2026
2 checks passed
@pdodgen-revparts pdodgen-revparts deleted the DEVEX-1653-build-orchestrator-rt-mode branch July 1, 2026 17:41
pdodgen-revparts added a commit that referenced this pull request Jul 1, 2026
…ed (#140)

Revert "DEVEX-1653: add rt_mode to build-php-v1 orchestrator (#137)"

This reverts commit 0b0684f.
pdodgen-revparts added a commit that referenced this pull request Jul 1, 2026
DEVEX-1653: add rt_mode to build-php-v1 orchestrator (transitive-skip fix)

Adds the rt_mode boolean input plus rt-path jobs (compute-rt-tag, gated
build execution) to enable Template A callers to route through the
_compute-rt-tag composite in encodium/actions.

Fixes the transitive-skip cascade discovered when merging Batch 1
Template A PRs immediately post-#137: tag-and-release has `needs: [build]`,
and build's own needs include compute-rt-tag (skipped on main-path).
GitHub Actions' default `success()` gate on job-if propagates that
transitive skipped-status through the needs chain, silently skipping
tag-and-release even when build itself succeeded — resulting in empty
image_tag output → downstream integration-deploy helm apply crashing on
malformed YAML (`image: ghcr.io/…:` with nothing after the colon).

Fix: gate tag-and-release with `if: !cancelled() && !inputs.rt_mode`.
!cancelled() explicitly overrides the implicit success() gate on the
transitive skipped need, restoring the intended semantics: run whenever
the workflow wasn't cancelled AND we're on the non-rt path. Verified
against license_api/rp_api/catalog_api/vin_decoder_service post-merge
canary before Batches 3/4 landed.

Refs DEVEX-1653, #137 (original), #140 (revert).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant