Temporarily bypass SHA check for clean demo deploy

transcom · Feb 21, 2025 · b65b1bc · b65b1bc
1 parent 21a0cc0
commit b65b1bc
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 11 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -30,16 +30,16 @@ variables:
   GOLANGCI_LINT_VERBOSE: "-v"
 
   # Specify the environment: loadtest, demo, exp
-  DP3_ENV: &dp3_env placeholder_env
+  DP3_ENV: &dp3_env demo
 
   # Specify the branch to deploy TODO: this might be not needed. So far useless
-  DP3_BRANCH: &dp3_branch placeholder_branch_name
+  DP3_BRANCH: &dp3_branch B-22384-Test-Sha-Check-dp3
 
   # Ignore branches for integration tests
-  INTEGRATION_IGNORE_BRANCH: &integration_ignore_branch placeholder_branch_name
-  INTEGRATION_MTLS_IGNORE_BRANCH: &integration_mtls_ignore_branch placeholder_branch_name
-  CLIENT_IGNORE_BRANCH: &client_ignore_branch placeholder_branch_name
-  SERVER_IGNORE_BRANCH: &server_ignore_branch placeholder_branch_name
+  INTEGRATION_IGNORE_BRANCH: &integration_ignore_branch B-22384-Test-Sha-Check-dp3
+  INTEGRATION_MTLS_IGNORE_BRANCH: &integration_mtls_ignore_branch B-22384-Test-Sha-Check-dp3
+  CLIENT_IGNORE_BRANCH: &client_ignore_branch B-22384-Test-Sha-Check-dp3
+  SERVER_IGNORE_BRANCH: &server_ignore_branch B-22384-Test-Sha-Check-dp3
 
   OTEL_IMAGE_TAG: &otel_image_tag "git-$OTEL_VERSION-$CI_COMMIT_SHORT_SHA"
 
@@ -1293,6 +1293,28 @@ integration_test_office:
 ###############################################################
 ## DP3 Env push and deploy stages all off of setting dp3 env ##
 ###############################################################
+
+check_against_dp3_sha:
+  stage: pre_checks  # Run before deployment stages
+  tags:
+    - $RUNNER_TAG  # Ensure the job runs on the correct GitLab Runner
+  environment: $DP3_ENV
+  image: $DOCKER_APP_IMAGE  # Use the correct image for your pipeline
+  before_script:
+    - *setup_milmove_env  # Set up environment variables if required.
+  script:
+    - echo "Skipping SHA check to force a clean deploy to demo."
+    - echo "success" > sha_check_status 
+    # - echo "Checking if deployed commit is an ancestor..."
+    # - scripts/compare-deployed-commit my.demo.dp3.us $CI_COMMIT_SHA
+  artifacts:
+    paths:
+      - sha_check_status  # Store the status for downstream jobs
+    expire_in: 1h
+  allow_failure: true  # Ensure the job does not fail the pipeline even if the script detects a SHA mismatch
+  rules:
+    - *check_dp3  # Ensure this matches your ruleset for conditional execution
+
 build_push_app_dp3:
   stage: push
   interruptible: true
@@ -1303,13 +1325,18 @@ build_push_app_dp3:
     name: gcr.io/kaniko-project/executor:v1.14.0-debug
     entrypoint: [""]
   needs:
+     - check_against_dp3_sha
      - compile_app_client
      - compile_app_server
   before_script:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
     - *kaniko_before_setup
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Building and Pushing app Docker image..."
     - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${APP_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app:git-$CI_COMMIT_SHORT_SHA"
   after_script:
@@ -1327,13 +1354,18 @@ build_push_migrations_dp3:
     name: gcr.io/kaniko-project/executor:v1.14.0-debug
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - compile_app_server
     - compile_app_client
   before_script:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
     - *kaniko_before_setup
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Building and Pushing migrations Docker image..."
     - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/Dockerfile.migrations" --destination "${ECR_REPOSITORY_URI}/app-migrations:git-$CI_COMMIT_SHORT_SHA"
   after_script:
@@ -1351,13 +1383,18 @@ build_push_tasks_dp3:
     name: gcr.io/kaniko-project/executor:v1.14.0-debug
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - compile_app_server
     - compile_app_client
   before_script:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
     - *kaniko_before_setup
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Building tasks Docker image..."
     - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${TASK_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app-tasks:git-$CI_COMMIT_SHORT_SHA"
   after_script:
@@ -1378,9 +1415,14 @@ push_otel_collector_image_dp3:
     name: $DOCKER_BASE_IMAGE
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - compile_app_server
     - compile_app_client
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Logging in to DockerHub with Crane..."
     - echo "${DOCKERHUB_PASSWORD}" | crane auth login docker.io -u "${DOCKERHUB_USERNAME}" --password-stdin
 
@@ -1411,6 +1453,7 @@ deploy_migrations_dp3:
     name: $DOCKER_APP_IMAGE
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - push_otel_collector_image_dp3
     - build_push_migrations_dp3
     - compile_app_server
@@ -1419,6 +1462,10 @@ deploy_migrations_dp3:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     # Step 1: Get the Digest
     - echo "Getting Digest from AWS"
     - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-migrations --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text)
@@ -1443,6 +1490,7 @@ deploy_tasks_dp3:
     name: $DOCKER_APP_IMAGE
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - deploy_migrations_dp3
     - build_push_tasks_dp3
     - compile_app_server
@@ -1451,6 +1499,10 @@ deploy_tasks_dp3:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Getting Digest from AWS"
     - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-tasks --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text)
     - echo "Deploying GHC fuel price data task service"
@@ -1472,6 +1524,7 @@ deploy_app_client_tls_dp3:
     name: $DOCKER_APP_IMAGE
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - deploy_migrations_dp3
     - push_otel_collector_image_dp3
     - compile_app_server
@@ -1484,6 +1537,10 @@ deploy_app_client_tls_dp3:
     - *setup_tls_vars_dp3
     - *setup_release_dp3
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     # - echo "Comparing against deployed commit"
     # - ./scripts/compare-deployed-commit "" $CI_COMMIT_SHA ${TLS_KEY} ${TLS_CERT} ${TLS_CA}
     - echo "Getting Digest from AWS"
@@ -1514,6 +1571,7 @@ deploy_app_dp3:
     name: $DOCKER_APP_IMAGE
     entrypoint: [""]
   needs:
+    - check_against_dp3_sha
     - build_push_app_dp3
     - deploy_migrations_dp3
     - compile_app_server
@@ -1526,6 +1584,10 @@ deploy_app_dp3:
     - *setup_aws_vars_dp3
     - *setup_release_dp3
   script:
+    - |
+      if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then
+        echo "Deploy halted due to SHA check failure.";
+        exit 0;
     - echo "Comparing against deployed commit"
     # - ./scripts/compare-deployed-commit "" "$CI_COMMIT_SHA" "$TLS_KEY" "$TLS_CERT" "$TLS_CA"
     - echo "Creating .go-version file if not already present"

diff --git a/scripts/compare-deployed-commit b/scripts/compare-deployed-commit
@@ -34,19 +34,25 @@ fi
 if [[ "${deployed_commit}" == "${local_commit}" ]]; then
   echo "* Deployed commit ($deployed_commit) is the local commit ($local_commit)."
   echo "* Deploy can continue."
+  echo "success" > sha_check_status
   exit 0
 # See pattern at https://git-scm.com/docs/git-merge-base
 elif git merge-base --is-ancestor "$deployed_commit" "$local_commit"; then
   echo "* Deployed commit ($deployed_commit) is an ancestor of the local commit ($local_commit)."
   echo "* Deploy can continue."
+  echo "success" > sha_check_status
   exit 0
 else
-  echo "* Deployed commit ($deployed_commit) is not an ancestor of the local commit ($local_commit)."
+  echo "* Deployed commit ($deployed_commit) is NOT ancestor of the local commit ($local_commit)."
   echo "* The deployed commit is either ahead of the local commit or the commits have different histories."
   echo "* Deploy is blocked."
-  if [ -n "${CIRCLECI+x}" ]; then
-    circleci-agent step halt
-  else
-    exit 1
+
+  # Ensure a status file is always written
+  echo "failed" > sha_check_status
+
+if [ -n "${GITLAB_CI+x}" ]; then
+  exit 0  # Prevents the job from failing but stops deployment
+else
+  exit 1  # Fails locally if not running in GitLab
   fi
 fi