From fb2a1eddf141f441bf5e6acf72992d58ce6c74f0 Mon Sep 17 00:00:00 2001 From: Prox Date: Fri, 6 Mar 2026 17:56:58 +0200 Subject: [PATCH 1/5] added test setup key --- state/test.json | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/state/test.json b/state/test.json index f8b2737..30d270a 100644 --- a/state/test.json +++ b/state/test.json @@ -12,18 +12,21 @@ "type": "one-off", "expires_in": 604800, "usage_limit": 1, - "auto_groups": [ - "ground-stations" - ], + "auto_groups": ["ground-stations"], "enrolled": false }, "Pilot-TestHawk-1": { "type": "one-off", "expires_in": 604800, "usage_limit": 1, - "auto_groups": [ - "pilots" - ], + "auto_groups": ["pilots"], + "enrolled": false + }, + "Pilot-Vlad-2": { + "type": "one-off", + "expires_in": 604800, + "usage_limit": 1, + "auto_groups": ["pilots"], "enrolled": false } }, @@ -31,12 +34,8 @@ "pilots-to-gs": { "description": "", "enabled": true, - "sources": [ - "pilots" - ], - "destinations": [ - "ground-stations" - ], + "sources": ["pilots"], + "destinations": ["ground-stations"], "bidirectional": true, "protocol": "all", "action": "accept", From f1be3874bbc2b3ef8dc1993992a846ec133d82ee Mon Sep 17 00:00:00 2001 From: Prox Date: Fri, 6 Mar 2026 18:00:08 +0200 Subject: [PATCH 2/5] updated dry-run.yml and reconcile jobs --- .gitea/workflows/dry-run.yml | 58 ++++++++++++++++++---------------- .gitea/workflows/reconcile.yml | 21 ++++++------ 2 files changed, 41 insertions(+), 38 deletions(-) diff --git a/.gitea/workflows/dry-run.yml b/.gitea/workflows/dry-run.yml index ac87d1f..e1a1a63 100644 --- a/.gitea/workflows/dry-run.yml +++ b/.gitea/workflows/dry-run.yml @@ -19,11 +19,12 @@ jobs: id: changed run: | FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- 'state/*.json') - ENVS="[]" - for f in $FILES; do - ENV=$(basename "$f" .json) - ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]") - done + ENVS=$(python3 -c " + import os, json + files = '''$FILES'''.strip().split('\n') + envs = [os.path.basename(f).replace('.json','') for f in files if f.strip()] + print(json.dumps(envs)) + ") echo "envs=$ENVS" >> "$GITHUB_OUTPUT" echo "Changed environments: $ENVS" @@ -65,16 +66,24 @@ jobs: echo "$RESPONSE" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - - name: Format plan as markdown - id: format + - name: Format and post PR comment if: steps.plan.outputs.response != '{}' + env: + GIT_TOKEN: ${{ secrets.GIT_TOKEN }} + GIT_URL: ${{ secrets.GIT_URL }} + RESPONSE: ${{ steps.plan.outputs.response }} + ENV_NAME: ${{ matrix.env }} + REPO: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} run: | - cat <<'SCRIPT' > format.py - import json, sys - data = json.loads(sys.stdin.read()) + python3 <<'SCRIPT' + import json, os, urllib.request, urllib.parse + + data = json.loads(os.environ["RESPONSE"]) ops = data.get("operations", []) summary = data.get("summary", {}) - env = sys.argv[1] + env = os.environ["ENV_NAME"] + lines = [f"## Reconciliation Plan: `{env}`\n"] if not ops: lines.append("No changes detected.\n") @@ -86,21 +95,14 @@ jobs: lines.append("") s = summary lines.append(f"**Summary:** {s.get('created',0)} create, {s.get('updated',0)} update, {s.get('deleted',0)} delete") - print("\n".join(lines)) - SCRIPT - COMMENT=$(echo '${{ steps.plan.outputs.response }}' | python3 format.py "${{ matrix.env }}") - echo "comment<> "$GITHUB_OUTPUT" - echo "$COMMENT" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - - name: Post PR comment - if: steps.plan.outputs.response != '{}' - env: - GIT_TOKEN: ${{ secrets.GIT_TOKEN }} - run: | - curl -sf \ - -X POST \ - -H "Authorization: token ${GIT_TOKEN}" \ - -H "Content-Type: application/json" \ - -d "{\"body\": $(echo '${{ steps.format.outputs.comment }}' | jq -Rs .)}" \ - "${{ secrets.GIT_URL }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" + comment = "\n".join(lines) + url = f"{os.environ['GIT_URL']}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments" + body = json.dumps({"body": comment}).encode() + req = urllib.request.Request(url, data=body, method="POST", headers={ + "Authorization": f"token {os.environ['GIT_TOKEN']}", + "Content-Type": "application/json", + }) + urllib.request.urlopen(req) + print(f"Posted comment to PR #{os.environ['PR_NUMBER']}") + SCRIPT diff --git a/.gitea/workflows/reconcile.yml b/.gitea/workflows/reconcile.yml index c4ccb8a..3c3003a 100644 --- a/.gitea/workflows/reconcile.yml +++ b/.gitea/workflows/reconcile.yml @@ -21,11 +21,12 @@ jobs: id: changed run: | FILES=$(git diff --name-only HEAD~1 HEAD -- 'state/*.json') - ENVS="[]" - for f in $FILES; do - ENV=$(basename "$f" .json) - ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]") - done + ENVS=$(python3 -c " + import os, json + files = '''$FILES'''.strip().split('\n') + envs = [os.path.basename(f).replace('.json','') for f in files if f.strip()] + print(json.dumps(envs)) + ") echo "envs=$ENVS" >> "$GITHUB_OUTPUT" echo "Changed environments: $ENVS" @@ -80,10 +81,10 @@ jobs: echo "$RESPONSE" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - STATUS=$(echo "$RESPONSE" | jq -r '.status') + STATUS=$(python3 -c "import json,sys; print(json.loads(sys.stdin.read()).get('status','ok'))" <<< "$RESPONSE") if [ "$STATUS" = "error" ]; then echo "Reconcile failed for ${{ matrix.env }}" - echo "$RESPONSE" | jq . + python3 -m json.tool <<< "$RESPONSE" exit 1 fi @@ -91,14 +92,14 @@ jobs: if: success() env: AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }} + RESPONSE: ${{ steps.reconcile.outputs.response }} run: | - KEYS=$(echo '${{ steps.reconcile.outputs.response }}' | jq -r '.created_keys // empty') - if [ -n "$KEYS" ] && [ "$KEYS" != "{}" ] && [ "$KEYS" != "null" ] && [ -n "$AGE_PUBLIC_KEY" ]; then + KEYS=$(python3 -c "import json,os; d=json.loads(os.environ['RESPONSE']); k=d.get('created_keys'); print(json.dumps(k) if k and k != {} else '')") + if [ -n "$KEYS" ] && [ -n "$AGE_PUBLIC_KEY" ]; then echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age echo "Setup keys for ${{ matrix.env }} encrypted" else echo "No new keys created for ${{ matrix.env }}" - exit 0 fi - name: Upload artifact From c6f4ae96144f756e4f22d94ee66212d09deed414 Mon Sep 17 00:00:00 2001 From: Prox Date: Fri, 6 Mar 2026 18:04:17 +0200 Subject: [PATCH 3/5] improved jobs --- .gitea/workflows/dry-run.yml | 130 ++++++++++++++++--------------- .gitea/workflows/reconcile.yml | 137 +++++++++++++++++---------------- 2 files changed, 142 insertions(+), 125 deletions(-) diff --git a/.gitea/workflows/dry-run.yml b/.gitea/workflows/dry-run.yml index e1a1a63..0b80444 100644 --- a/.gitea/workflows/dry-run.yml +++ b/.gitea/workflows/dry-run.yml @@ -32,77 +32,87 @@ jobs: needs: detect runs-on: ubuntu-latest if: needs.detect.outputs.envs != '[]' - strategy: - matrix: - env: ${{ fromJson(needs.detect.outputs.envs) }} steps: - uses: actions/checkout@v4 - - name: Resolve environment secrets - id: env - run: | - ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_') - echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT" - echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT" - - - name: Run dry-run reconcile - id: plan - env: - RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }} - RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }} - run: | - if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then - echo "No secrets configured for environment '${{ matrix.env }}' — skipping" - echo "response={}" >> "$GITHUB_OUTPUT" - exit 0 - fi - RESPONSE=$(curl -sf \ - -X POST \ - -H "Authorization: Bearer ${RECONCILER_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @state/${{ matrix.env }}.json \ - "${RECONCILER_URL}/reconcile?dry_run=true") - echo "response<> "$GITHUB_OUTPUT" - echo "$RESPONSE" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" - - - name: Format and post PR comment - if: steps.plan.outputs.response != '{}' + - name: Run dry-run for each changed environment env: + ENVS: ${{ needs.detect.outputs.envs }} + TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }} + TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }} + DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }} + DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }} + PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }} + PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }} GIT_TOKEN: ${{ secrets.GIT_TOKEN }} GIT_URL: ${{ secrets.GIT_URL }} - RESPONSE: ${{ steps.plan.outputs.response }} - ENV_NAME: ${{ matrix.env }} REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} run: | python3 <<'SCRIPT' - import json, os, urllib.request, urllib.parse + import json, os, urllib.request - data = json.loads(os.environ["RESPONSE"]) - ops = data.get("operations", []) - summary = data.get("summary", {}) - env = os.environ["ENV_NAME"] + envs = json.loads(os.environ["ENVS"]) - lines = [f"## Reconciliation Plan: `{env}`\n"] - if not ops: - lines.append("No changes detected.\n") - else: - lines.append("| Operation | Name |") - lines.append("|-----------|------|") - for op in ops: - lines.append(f"| `{op['type']}` | {op['name']} |") - lines.append("") - s = summary - lines.append(f"**Summary:** {s.get('created',0)} create, {s.get('updated',0)} update, {s.get('deleted',0)} delete") + for env in envs: + key = env.upper().replace("-", "_") + token = os.environ.get(f"{key}_RECONCILER_TOKEN", "") + url = os.environ.get(f"{key}_RECONCILER_URL", "") - comment = "\n".join(lines) - url = f"{os.environ['GIT_URL']}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments" - body = json.dumps({"body": comment}).encode() - req = urllib.request.Request(url, data=body, method="POST", headers={ - "Authorization": f"token {os.environ['GIT_TOKEN']}", - "Content-Type": "application/json", - }) - urllib.request.urlopen(req) - print(f"Posted comment to PR #{os.environ['PR_NUMBER']}") + if not token or not url: + print(f"No secrets for '{env}' — skipping") + continue + + # Call reconciler dry-run + with open(f"state/{env}.json", "rb") as f: + state_data = f.read() + + req = urllib.request.Request( + f"{url}/reconcile?dry_run=true", + data=state_data, + method="POST", + headers={ + "Authorization": f"Bearer {token}", + "Content-Type": "application/json", + }, + ) + try: + resp = urllib.request.urlopen(req) + data = json.loads(resp.read()) + except Exception as e: + print(f"Reconciler call failed for '{env}': {e}") + continue + + # Format as markdown + ops = data.get("operations", []) + summary = data.get("summary", {}) + lines = [f"## Reconciliation Plan: `{env}`\n"] + if not ops: + lines.append("No changes detected.\n") + else: + lines.append("| Operation | Name |") + lines.append("|-----------|------|") + for op in ops: + lines.append(f"| `{op['type']}` | {op['name']} |") + lines.append("") + lines.append( + f"**Summary:** {summary.get('created',0)} create, " + f"{summary.get('updated',0)} update, " + f"{summary.get('deleted',0)} delete" + ) + comment = "\n".join(lines) + print(comment) + + # Post PR comment + git_token = os.environ.get("GIT_TOKEN", "") + git_url = os.environ.get("GIT_URL", "") + if git_token and git_url: + api_url = f"{git_url}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments" + body = json.dumps({"body": comment}).encode() + req = urllib.request.Request(api_url, data=body, method="POST", headers={ + "Authorization": f"token {git_token}", + "Content-Type": "application/json", + }) + urllib.request.urlopen(req) + print(f"Posted comment to PR #{os.environ['PR_NUMBER']}") SCRIPT diff --git a/.gitea/workflows/reconcile.yml b/.gitea/workflows/reconcile.yml index 3c3003a..046c305 100644 --- a/.gitea/workflows/reconcile.yml +++ b/.gitea/workflows/reconcile.yml @@ -34,78 +34,85 @@ jobs: needs: detect runs-on: ubuntu-latest if: needs.detect.outputs.envs != '[]' - strategy: - matrix: - env: ${{ fromJson(needs.detect.outputs.envs) }} steps: - uses: actions/checkout@v4 - - name: Resolve environment secrets - id: env - run: | - ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_') - echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT" - echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT" - echo "age_key=${ENV_UPPER}_AGE_PUBLIC_KEY" >> "$GITHUB_OUTPUT" - - - name: Sync events + - name: Reconcile each changed environment env: - RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }} - RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }} + ENVS: ${{ needs.detect.outputs.envs }} + TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }} + TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }} + DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }} + DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }} + PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }} + PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }} run: | - if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then - echo "No secrets configured for environment '${{ matrix.env }}' — skipping" - exit 0 - fi - curl -sf \ - -X POST \ - -H "Authorization: Bearer ${RECONCILER_TOKEN}" \ - "${RECONCILER_URL}/sync-events" + python3 <<'SCRIPT' + import json, os, urllib.request, sys - - name: Pull latest (poller may have committed) - run: git pull --rebase + envs = json.loads(os.environ["ENVS"]) + failed = [] - - name: Apply reconcile - id: reconcile - env: - RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }} - RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }} - run: | - RESPONSE=$(curl -sf \ - -X POST \ - -H "Authorization: Bearer ${RECONCILER_TOKEN}" \ - -H "Content-Type: application/json" \ - -d @state/${{ matrix.env }}.json \ - "${RECONCILER_URL}/reconcile") - echo "response<> "$GITHUB_OUTPUT" - echo "$RESPONSE" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" + for env in envs: + key = env.upper().replace("-", "_") + token = os.environ.get(f"{key}_RECONCILER_TOKEN", "") + url = os.environ.get(f"{key}_RECONCILER_URL", "") - STATUS=$(python3 -c "import json,sys; print(json.loads(sys.stdin.read()).get('status','ok'))" <<< "$RESPONSE") - if [ "$STATUS" = "error" ]; then - echo "Reconcile failed for ${{ matrix.env }}" - python3 -m json.tool <<< "$RESPONSE" - exit 1 - fi + if not token or not url: + print(f"No secrets for '{env}' — skipping") + continue - - name: Encrypt and upload setup keys - if: success() - env: - AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }} - RESPONSE: ${{ steps.reconcile.outputs.response }} - run: | - KEYS=$(python3 -c "import json,os; d=json.loads(os.environ['RESPONSE']); k=d.get('created_keys'); print(json.dumps(k) if k and k != {} else '')") - if [ -n "$KEYS" ] && [ -n "$AGE_PUBLIC_KEY" ]; then - echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age - echo "Setup keys for ${{ matrix.env }} encrypted" - else - echo "No new keys created for ${{ matrix.env }}" - fi + # Sync events first + try: + req = urllib.request.Request( + f"{url}/sync-events", method="POST", + headers={"Authorization": f"Bearer {token}"}, + ) + urllib.request.urlopen(req) + print(f"[{env}] Synced events") + except Exception as e: + print(f"[{env}] Sync events failed (non-fatal): {e}") - - name: Upload artifact - if: success() - uses: actions/upload-artifact@v4 - with: - name: setup-keys-${{ matrix.env }} - path: setup-keys-${{ matrix.env }}.age - if-no-files-found: ignore + # Apply reconcile + with open(f"state/{env}.json", "rb") as f: + state_data = f.read() + + req = urllib.request.Request( + f"{url}/reconcile", + data=state_data, + method="POST", + headers={ + "Authorization": f"Bearer {token}", + "Content-Type": "application/json", + }, + ) + try: + resp = urllib.request.urlopen(req) + data = json.loads(resp.read()) + except Exception as e: + print(f"[{env}] Reconcile FAILED: {e}") + failed.append(env) + continue + + status = data.get("status", "ok") + if status == "error": + print(f"[{env}] Reconcile returned error:") + print(json.dumps(data, indent=2)) + failed.append(env) + continue + + summary = data.get("summary", {}) + print(f"[{env}] Reconcile OK: " + f"{summary.get('created',0)} created, " + f"{summary.get('updated',0)} updated, " + f"{summary.get('deleted',0)} deleted") + + # Log created keys (names only, not values) + keys = data.get("created_keys", {}) + if keys: + print(f"[{env}] Created setup keys: {list(keys.keys())}") + + if failed: + print(f"\nFailed environments: {failed}") + sys.exit(1) + SCRIPT From 034de8fea1da2ee2afad10db10476a5e771eb273 Mon Sep 17 00:00:00 2001 From: Prox Date: Fri, 6 Mar 2026 18:07:48 +0200 Subject: [PATCH 4/5] updated dry-run job --- .gitea/workflows/dry-run.yml | 48 ++++++++++++++-------------------- .gitea/workflows/reconcile.yml | 45 ++++++++++++------------------- 2 files changed, 35 insertions(+), 58 deletions(-) diff --git a/.gitea/workflows/dry-run.yml b/.gitea/workflows/dry-run.yml index 0b80444..ca8f821 100644 --- a/.gitea/workflows/dry-run.yml +++ b/.gitea/workflows/dry-run.yml @@ -6,38 +6,17 @@ on: - "state/*.json" jobs: - detect: + dry-run: runs-on: ubuntu-latest - outputs: - envs: ${{ steps.changed.outputs.envs }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Detect changed environments - id: changed - run: | - FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- 'state/*.json') - ENVS=$(python3 -c " - import os, json - files = '''$FILES'''.strip().split('\n') - envs = [os.path.basename(f).replace('.json','') for f in files if f.strip()] - print(json.dumps(envs)) - ") - echo "envs=$ENVS" >> "$GITHUB_OUTPUT" - echo "Changed environments: $ENVS" - - dry-run: - needs: detect - runs-on: ubuntu-latest - if: needs.detect.outputs.envs != '[]' - steps: - - uses: actions/checkout@v4 - - - name: Run dry-run for each changed environment + - name: Dry-run reconcile for changed environments env: - ENVS: ${{ needs.detect.outputs.envs }} + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.sha }} TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }} TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }} DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }} @@ -50,9 +29,20 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} run: | python3 <<'SCRIPT' - import json, os, urllib.request + import json, os, subprocess, urllib.request - envs = json.loads(os.environ["ENVS"]) + # Detect changed state files + diff = subprocess.run( + ["git", "diff", "--name-only", os.environ["BASE_SHA"], os.environ["HEAD_SHA"], "--", "state/*.json"], + capture_output=True, text=True, check=True, + ) + envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()] + + if not envs: + print("No state files changed") + exit(0) + + print(f"Changed environments: {envs}") for env in envs: key = env.upper().replace("-", "_") @@ -60,7 +50,7 @@ jobs: url = os.environ.get(f"{key}_RECONCILER_URL", "") if not token or not url: - print(f"No secrets for '{env}' — skipping") + print(f"[{env}] No secrets configured — skipping") continue # Call reconciler dry-run @@ -80,7 +70,7 @@ jobs: resp = urllib.request.urlopen(req) data = json.loads(resp.read()) except Exception as e: - print(f"Reconciler call failed for '{env}': {e}") + print(f"[{env}] Reconciler call failed: {e}") continue # Format as markdown diff --git a/.gitea/workflows/reconcile.yml b/.gitea/workflows/reconcile.yml index 046c305..116b82d 100644 --- a/.gitea/workflows/reconcile.yml +++ b/.gitea/workflows/reconcile.yml @@ -8,38 +8,15 @@ on: - "state/*.json" jobs: - detect: + reconcile: runs-on: ubuntu-latest - outputs: - envs: ${{ steps.changed.outputs.envs }} steps: - uses: actions/checkout@v4 with: fetch-depth: 2 - - name: Detect changed environments - id: changed - run: | - FILES=$(git diff --name-only HEAD~1 HEAD -- 'state/*.json') - ENVS=$(python3 -c " - import os, json - files = '''$FILES'''.strip().split('\n') - envs = [os.path.basename(f).replace('.json','') for f in files if f.strip()] - print(json.dumps(envs)) - ") - echo "envs=$ENVS" >> "$GITHUB_OUTPUT" - echo "Changed environments: $ENVS" - - reconcile: - needs: detect - runs-on: ubuntu-latest - if: needs.detect.outputs.envs != '[]' - steps: - - uses: actions/checkout@v4 - - - name: Reconcile each changed environment + - name: Reconcile changed environments env: - ENVS: ${{ needs.detect.outputs.envs }} TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }} TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }} DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }} @@ -48,9 +25,20 @@ jobs: PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }} run: | python3 <<'SCRIPT' - import json, os, urllib.request, sys + import json, os, subprocess, urllib.request, sys - envs = json.loads(os.environ["ENVS"]) + # Detect changed state files + diff = subprocess.run( + ["git", "diff", "--name-only", "HEAD~1", "HEAD", "--", "state/*.json"], + capture_output=True, text=True, check=True, + ) + envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()] + + if not envs: + print("No state files changed") + exit(0) + + print(f"Changed environments: {envs}") failed = [] for env in envs: @@ -59,7 +47,7 @@ jobs: url = os.environ.get(f"{key}_RECONCILER_URL", "") if not token or not url: - print(f"No secrets for '{env}' — skipping") + print(f"[{env}] No secrets configured — skipping") continue # Sync events first @@ -107,7 +95,6 @@ jobs: f"{summary.get('updated',0)} updated, " f"{summary.get('deleted',0)} deleted") - # Log created keys (names only, not values) keys = data.get("created_keys", {}) if keys: print(f"[{env}] Created setup keys: {list(keys.keys())}") From 6ff1212f211f2f6f9224b61c9aaae76916c30fff Mon Sep 17 00:00:00 2001 From: Prox Date: Fri, 6 Mar 2026 18:16:13 +0200 Subject: [PATCH 5/5] markdown improvement --- .gitea/workflows/dry-run.yml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/dry-run.yml b/.gitea/workflows/dry-run.yml index ca8f821..393f39f 100644 --- a/.gitea/workflows/dry-run.yml +++ b/.gitea/workflows/dry-run.yml @@ -73,23 +73,34 @@ jobs: print(f"[{env}] Reconciler call failed: {e}") continue - # Format as markdown + # Format as markdown grouped by action ops = data.get("operations", []) summary = data.get("summary", {}) lines = [f"## Reconciliation Plan: `{env}`\n"] if not ops: lines.append("No changes detected.\n") else: - lines.append("| Operation | Name |") - lines.append("|-----------|------|") + groups = {"Create": [], "Update": [], "Delete": []} for op in ops: - lines.append(f"| `{op['type']}` | {op['name']} |") - lines.append("") - lines.append( - f"**Summary:** {summary.get('created',0)} create, " - f"{summary.get('updated',0)} update, " - f"{summary.get('deleted',0)} delete" - ) + t = op["type"] + if t.startswith("create"): groups["Create"].append(op) + elif t.startswith("delete"): groups["Delete"].append(op) + else: groups["Update"].append(op) + + for action, items in groups.items(): + if not items: + continue + emoji = {"Create": "+", "Update": "~", "Delete": "-"}[action] + lines.append(f"### {action} ({len(items)})\n") + lines.append("| Resource | Name |") + lines.append("|----------|------|") + for op in items: + resource = op["type"].split("_", 1)[1] if "_" in op["type"] else op["type"] + lines.append(f"| {resource} | {op['name']} |") + lines.append("") + + c, u, d = summary.get("created", 0), summary.get("updated", 0), summary.get("deleted", 0) + lines.append(f"**Total: {c} create, {u} update, {d} delete**") comment = "\n".join(lines) print(comment)