fix: use commit SHA instead of latest tag to prevent race condition in promote workflow

The promote workflow previously pulled :latest, which could be stale if the staging build hadn't finished yet. Now it pulls the exact :SHA image that deploy.yml produces, with retry logic (up to 10min) if staging is still building.
2026-02-20 16:01:03 +00:00 · 2026-02-20 16:01:03 +00:00 · e074562f73
commit e074562f73
parent e787923908
1 changed files with 31 additions and 10 deletions
--- a/.forgejo/workflows/promote.yml
+++ b/.forgejo/workflows/promote.yml
@ -11,18 +11,24 @@ jobs:
    runs-on: ubuntu-latest

    steps:
+    - name: Checkout code at tag
+      uses: actions/checkout@v4
+
    - name: Install kubectl
      run: |
        curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
        chmod +x kubectl

-    - name: Get image from tag
+    - name: Get image info
      id: image
      run: |
-        # Tag format: v0.2.1 or v0.2.1-rc1
-        # The staging pipeline already pushed the image with the commit SHA
-        # We retag with the version tag for traceability
+        # Use the commit SHA instead of "latest" to avoid a race condition:
+        # The tag event can fire before the staging build (deploy.yml) finishes
+        # pushing the new "latest" image. By referencing the exact SHA that
+        # deploy.yml tags images with (${{ github.sha }}), we ensure we
+        # promote the correct build — and wait for it if it's still running.
        echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+        echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

    - name: Login to Forgejo Registry
      uses: docker/login-action@v3
@ -31,13 +37,28 @@ jobs:
        username: openclawd
        password: ${{ secrets.REGISTRY_TOKEN }}

-    - name: Retag image for production
+    - name: Wait for staging image and retag for production
      run: |
-        # Pull latest staging image and tag with version
-        docker pull --platform linux/arm64 git.cloonar.com/openclawd/docfast:latest
-        docker tag git.cloonar.com/openclawd/docfast:latest \
-          git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
-        docker push git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+        SHA_IMAGE="git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.sha }}"
+        PROD_IMAGE="git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}"
+
+        # Wait for the SHA-tagged image (built by staging) to be available
+        for i in $(seq 1 20); do
+          echo "Attempt $i/20: pulling $SHA_IMAGE ..."
+          if docker pull --platform linux/arm64 "$SHA_IMAGE" 2>/dev/null; then
+            echo "✅ Image found!"
+            break
+          fi
+          if [ "$i" -eq 20 ]; then
+            echo "❌ Image not available after 10 minutes. Aborting."
+            exit 1
+          fi
+          echo "Image not ready yet, waiting 30s..."
+          sleep 30
+        done
+
+        docker tag "$SHA_IMAGE" "$PROD_IMAGE"
+        docker push "$PROD_IMAGE"

    - name: Deploy to Production
      run: |