NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

ci(fleet): release pipeline on tag (minimal) #308

Merged
johnride merged 1 commits from ci/fleet-cd-pipeline-min into master 2026-05-29 01:28:20 +00:00
Conversation 0 Commits 1 Files Changed 2 +100 -23
2 changed files with 100 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
.gitea/workflows/harmony-fleet-operator.yaml
View File

@@ -1,12 +1,23 @@
name: Build and push harmony-fleet-operator image name: harmony-fleet-operator — release
# A `harmony-fleet-operator-v*` tag builds + publishes the operator image
# and helm chart (one tag → both at the same version). Deploying the
# published chart is `harmony apply`
# (harmony-fleet-deploy --operator-chart-version), run manually today; a
# CD job lands once the cluster KUBECONFIG + NATS secrets are provisioned.
# Tag parsing lives in Rust (harmony-fleet-release), not in YAML.
on: on:
push: push:
branches: tags:
- master - 'harmony-fleet-operator-v*'
workflow_dispatch: workflow_dispatch:
inputs:
tag:
description: 'Release tag, e.g. harmony-fleet-operator-v0.1.0'
required: true
type: string
jobs: jobs:
build_and_push: release:
container: container:
image: hub.nationtech.io/harmony/harmony_composer:latest image: hub.nationtech.io/harmony/harmony_composer:latest
runs-on: dind runs-on: dind
@@ -14,7 +25,7 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Log in to hub.nationtech.io - name: Log in to hub.nationtech.io (docker)
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
registry: hub.nationtech.io registry: hub.nationtech.io
@@ -24,21 +35,17 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
# Build context is the workspace root because the operator's # TODO: bake helm into harmony_composer so this step disappears.
# Cargo.toml has `path = "../../harmony"` deps. The multi-stage - name: Install helm
# Dockerfile runs `cargo build` itself inside a pinned rust run: curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# image, so no host-side cargo step is needed.
# - name: Log in to hub.nationtech.io (helm OCI)
# TODO: add buildx layer caching. Each run currently recompiles run: |
# the whole `harmony` workspace from scratch in the builder echo "${{ secrets.HUB_BOT_PASSWORD }}" \
# stage. Add `cache-from: type=gha` + `cache-to: type=gha,mode=max` | helm registry login hub.nationtech.io \
# below once build time becomes the bottleneck. If layer cache --username "${{ secrets.HUB_BOT_USER }}" --password-stdin
# alone isn't enough, consider splitting the Dockerfile with
# cargo-chef (no other crate in this repo does that yet). - name: Build + push image and chart
- name: Build and push env:
uses: docker/build-push-action@v6 TAG: ${{ inputs.tag || github.ref_name }}
with: run: cargo run --release -p harmony-fleet-deploy --bin harmony-fleet-release -- --from-tag "$TAG"
context: .
file: fleet/harmony-fleet-operator/Dockerfile
push: true
tags: hub.nationtech.io/harmony/harmony-fleet-operator:latest

70
fleet/deployment-process.md Normal file
View File

@@ -0,0 +1,70 @@
# Fleet operator — release & deploy
How the operator ships: build + publish a versioned image and helm
chart, then `harmony apply` (a plain `helm upgrade --install` of that
published chart). No Argo, no GitOps controller — Harmony owns the loop
(ADR-012-2). CD is **roll-forward only**: to back out a bad release,
deploy a previous good version.
## 1. Cut a release (automated on tag)
```sh
git tag harmony-fleet-operator-v0.0.2 && git push --tags
```
The `harmony-fleet-operator` workflow builds the image and the hydrated
helm chart and pushes both to `hub.nationtech.io` at `0.0.2`. No human
touches a Dockerfile, chart, or registry.
Laptop fallback (does exactly what the workflow's job does):
```sh
# docker + helm must be logged in to hub.nationtech.io first.
cargo run --release -p harmony-fleet-deploy --bin harmony-fleet-release -- \
--from-tag harmony-fleet-operator-v0.0.2
# build + package only, no push (local k3d smoke-test):
cargo run -p harmony-fleet-deploy --bin harmony-fleet-release -- \
--from-tag harmony-fleet-operator-v0.0.2 --no-push
```
## 2. Deploy a published version (`harmony apply`)
`--operator-chart-version` switches the operator to install the
published `oci://hub.nationtech.io/harmony/harmony-fleet-operator:0.0.2`
chart instead of rendering one from local source. Same command
bootstraps and upgrades; re-running with the same version is a no-op.
```sh
export HARMONY_FLEET_NATS_ADMIN_USER=HARMONY_FLEET_NATS_ADMIN_PASS=
export HARMONY_FLEET_NATS_DEVICE_USER=HARMONY_FLEET_NATS_DEVICE_PASS=
harmony-fleet-deploy \
--filter FleetOperatorScore \
--operator-chart-version 0.0.2 \
--namespace fleet-system \
--yes
```
## 3. Roll forward
Same command, a newer (or previous-good) version:
```sh
harmony-fleet-deploy --filter FleetOperatorScore --operator-chart-version 0.0.3 --namespace fleet-system --yes
```
`helm upgrade --install` applies it and fails loudly if convergence
fails — no automatic rollback. Fix the spec, bump, re-run.
## Automated vs. manual
| Step | Where |
|---|---|
| Build + push image + chart on tag | CI (`release` job) |
| Deploy a published version + roll forward | Manual `harmony apply` (above) |
A staging-auto / production-gated CD job is a follow-up — it needs the
cluster `KUBECONFIG` + NATS secrets provisioned, which is out of scope
for the initial CD branch (ADR-012-2). The release job is fully
functional today.