ci: move image promotion to merge workflow (#1604)

.github/workflows/.deploy.yml

@@ -5,7 +5,7 @@ on:
     inputs:
       ### Required
       target:
-        description: 'PR number, test or prod.'
+        description: 'PR number, test or prod'
         required: true
         type: string
 
@@ -51,9 +51,8 @@ jobs:
         working-directory: ${{ inputs.directory }}
         shell: bash
         run: |
-          # Login to OpenShift (NOTE: project command is a safeguard)
           oc login --token=${{ secrets.oc_token }} --server=${{ vars.oc_server }}
-          oc project ${{ vars.oc_namespace }}
+          oc project ${{ vars.OC_NAMESPACE }} # Safeguard!
 
           # Interrupt any previous jobs (status = pending-upgrade)
           PREVIOUS=$(helm status ${{ github.event.repository.name }}-${{ inputs.target }} -o json | jq .info.status || true)

.github/workflows/.merge.yml

@@ -2,8 +2,30 @@ name: .Merge
 
 on:
   workflow_call:
+    inputs:
+      promote:
+        description: 'PR number to promote'
+        required: true
+        type: string
 
 jobs:
+  promote-test:
+    name: Promote Images
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write
+    strategy:
+      matrix:
+        package: [migrations, backend, frontend]
+    timeout-minutes: 2
+    steps:
+      - uses: shrink/actions-docker-registry-tag@v3
+        with:
+          registry: ghcr.io
+          repository: ${{ github.repository }}/${{ matrix.package }}
+          target: ${{ inputs.promote }}
+          tags: test
+
   semver:
     name: Semantic Version
     outputs:
@@ -12,15 +34,17 @@ jobs:
     timeout-minutes: 1
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
       - name: Conventional Changelog Update
         uses: TriPSs/conventional-changelog-action@v4
         id: semver
         with:
-          git-branch: refs/heads/${{ github.head_ref }}
+          git-branch: refs/heads/${{ github.event.repository.default_branch }}
           git-push: "false"
           github-token: ${{ github.token }}
           skip-commit: "true"
-          skip-on-empty: "false"
           skip-version-file: "true"
 
       - name: Create Tags
@@ -29,10 +53,10 @@ jobs:
           git tag ${{ steps.changelog.outputs.tag }}
           git push origin --tag
 
-  deploys-test:
-    name: Deploys (test)
+  deploy-test:
+    name: Deploy (test)
     if: ${{ needs.semver.outputs.tag != '' }}
-    needs: [semver]
+    needs: [promote-test, semver]
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
@@ -41,23 +65,23 @@ jobs:
 
   integration-e2e:
     name: Integration and E2E Tests
-    needs: [deploys-test]
+    needs: [deploy-test]
     uses: ./.github/workflows/.tests.yml
     with:
       target: test
 
-  deploys-prod:
-    name: Deploys (prod)
+  deploy-prod:
+    name: Deploy (prod)
     needs: [integration-e2e]
     uses: ./.github/workflows/.deploy.yml
     secrets: inherit
     with:
       tag: test
       target: prod
 
-  tag-images:
+  promote-prod:
     name: Tag Images
-    needs: [deploys-prod]
+    needs: [deploy-prod]
     runs-on: ubuntu-22.04
     permissions:
       packages: write

.github/workflows/.tests.yml

@@ -5,7 +5,7 @@ on:
     inputs:
       ### Required
       target:
-        description: 'PR number, test or prod.'
+        description: 'PR number, test or prod'
         required: true
         type: string
 

.github/workflows/pr-close.yml

@@ -2,7 +2,6 @@ name: PR Closed
 
 on:
   pull_request:
-    branches: [main]
     types: [closed]
 
 concurrency:
@@ -15,44 +14,28 @@ jobs:
   cleanup-openshift:
     name: Cleanup OpenShift
     env:
-      name: ${{ github.event.repository.name }}-${{ github.event.number }}
+      deployment: ${{ github.event.repository.name }}-${{ github.event.number }}
     runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
       - name: Remove OpenShift artifacts
         run: |
           oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
-          oc project ${{ vars.OC_NAMESPACE }}
+          oc project ${{ vars.OC_NAMESPACE }} # Safeguard!
 
           # If found, then remove
-          helm status ${{ env.name }} && helm uninstall --no-hooks ${{ env.name }} || \
-            echo "Not found: ${{ env.name }}"
+          helm status ${{ env.deployment }} && helm uninstall --no-hooks ${{ env.deployment }} || \
+            echo "Not found: ${{ env.deployment }}"
 
           # Remove Bitnami Crunchy PVCs
-          oc delete pvc data-${{ github.event.repository.name }}-${{ github.event.number }}-bitnami-pg-0
-
-  # If merged into main, then handle any image promotions
-  tag-images:
-    name: Tag Images
-    if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
-    runs-on: ubuntu-22.04
-    permissions:
-      packages: write
-    strategy:
-      matrix:
-        package: [migrations, backend, frontend]
-    timeout-minutes: 2
-    steps:
-      - uses: shrink/actions-docker-registry-tag@v3
-        with:
-          registry: ghcr.io
-          repository: ${{ github.repository }}/${{ matrix.package }}
-          target: ${{ github.event.number }}
-          tags: test
+          oc delete pvc data-${{ env.deployment }}-bitnami-pg-0
 
   # https://github.com/bcgov-nr/action-deployer-openshift
   merge:
     name: Merge
-    needs: [tag-images]
+    if: github.event.pull_request.base.ref == github.event.repository.default_branch &&
+      github.event.pull_request.merged == true
     uses: ./.github/workflows/.merge.yml
     secrets: inherit
+    with:
+      promote: ${{ github.event.number }}

.github/workflows/scheduled.yml

@@ -82,11 +82,8 @@ jobs:
     steps:
       - name: Clean up Helm Releases
         run: |
-          # Clean up Helm Releases
-
-          # Login to OpenShift (NOTE: project command is a safeguard)
           oc login --token=${{ secrets.OC_TOKEN }} --server=${{ vars.OC_SERVER }}
-          oc project ${{ vars.OC_NAMESPACE }}
+          oc project ${{ vars.OC_NAMESPACE }} # Safeguard!
 
           # Echos
           echo "Delete stale Helm releases"