feat(deploy): align Flux HelmReleases with build path + add image-tag PR bridge (#1097)

The build job in `deploy-azd.yml` already pushes images to the root-prefix
ACR path (`<acr>/<svc>:<sha>`) but every HelmRelease was still pinned to
the legacy `<acr>/holiday-peak-hub/<svc>-dev:azd-deploy-<ts>` path that
predates the Pattern A Flux migration (PR #1089). Flux therefore never saw
new images and the cluster kept running the April 4 build, even after the
direct-model migration merged.

Closes the gap:

* Re-points all 27 HelmReleases (26 agents + crud-service) at the real
  build path, pinned to `808d48227b08` — the current `main` SHA — so
  Flux reconciles the freshly tested images on merge.

* Adds an `open-image-tag-bump-pr` job that consumes the
  `tested-image-*` artifacts the build stage already produces, edits
  `.kubernetes/releases/{agents,crud}/<svc>.yaml` via
  `scripts/ci/update_helmrelease_image.py` (a surgical line-level edit,
  10/10 pylint, byte-identical idempotent), and opens (or refreshes) a
  `chore/image-bump-<env>-<sha12>` PR against the default branch. The
  bridge respects the GH013 main-branch ruleset because it never pushes to
  main itself — it just files a normal PR that the operator merges.

* Replaces the stale `ImageUpdateAutomation` follow-up comment with the
  actual implementation notes.

Refs ADR-017 (Pattern A Flux GitOps), PR #1089, PR #1093 (#990 direct-model
migration whose images are the ones being rolled out by this change).

Author: Cataldir

.github/workflows/deploy-azd.yml

@@ -2717,14 +2717,130 @@ jobs:
           path: .kubernetes/rendered/${{ matrix.service }}/all.yaml
           retention-days: 1
 
-  # NOTE (ADR-017 amendment, Pattern A): the previous `commit-rendered-manifests`
-  # job was deleted because it pushed bot-generated manifests directly to
-  # `refs/heads/main`, which is rejected by the `main-governance-baseline`
-  # ruleset (GH013). Flux now reconciles HelmRelease CRDs from
-  # `.kubernetes/releases/{crud,agents}` and the helm-controller renders the
-  # chart in-cluster on every reconciliation, so no workflow push to main is
-  # ever required. Image tag updates remain a follow-up (planned: Flux
-  # ImageUpdateAutomation with PR bridge).
+  # ADR-017 amendment, Pattern A — image-tag PR bridge.
+  #
+  # The previous ``commit-rendered-manifests`` job pushed bot-generated YAML
+  # straight at ``refs/heads/main``, which the ``main-governance-baseline``
+  # ruleset (GH013) rejects. Flux now reconciles HelmRelease CRDs from
+  # ``.kubernetes/releases/{crud,agents}`` and the helm-controller renders the
+  # chart in-cluster on every reconciliation. To close the loop without
+  # pushing to ``main``, the build emits ``tested-image-*`` artifacts holding
+  # the immutable ACR reference for each service. The job below consumes those
+  # artifacts and opens a single image-bump PR per deploy, so Flux picks up
+  # the new images on the next reconcile after the PR is merged.
+  open-image-tag-bump-pr:
+    runs-on: ubuntu-latest
+    # Run only when at least one of the deploy matrices actually produced new
+    # tested images and the run was not cancelled. The bridge intentionally
+    # does NOT depend on ``success()`` of every deploy slot — partial deploys
+    # (e.g., a single matrix entry flaked) should still surface the bumps for
+    # the services that did succeed.
+    if: ${{ always() && !cancelled() && !inputs.uiOnly && (needs.deploy-crud.result == 'success' || needs.deploy-agents.result == 'success') }}
+    needs:
+      - deploy-crud
+      - deploy-agents
+      - detect-changes
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      DEPLOY_ENV: ${{ inputs.environment }}
+      # ``env.DEPLOY_SOURCE_SHA`` is not visible inside job-level ``env:`` so
+      # we re-derive the same expression used at the workflow level.
+      DEPLOY_SHA: ${{ inputs.sourceSha != '' && inputs.sourceSha || github.sha }}
+      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+    steps:
+      - name: Checkout default branch
+        uses: actions/checkout@v4
+        with:
+          # The bridge edits Flux source-of-truth files on the default branch
+          # so the PR diff reflects only the image bumps from this deploy.
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Download tested-image artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/tested-images
+          pattern: tested-image-*
+
+      - name: Apply HelmRelease image bumps
+        id: update
+        shell: bash
+        env:
+          RUNNER_TEMP: ${{ runner.temp }}
+        run: |
+          set -euo pipefail
+          changed=0
+          declare -a updated_services=()
+          for dir in "${RUNNER_TEMP}/tested-images"/tested-image-*; do
+            [ -d "$dir" ] || continue
+            svc=$(basename "$dir" | sed 's/^tested-image-//')
+            ref_file="$dir/image-ref.txt"
+            if [ ! -f "$ref_file" ]; then
+              echo "::warning::no image-ref.txt for ${svc} — skipping"
+              continue
+            fi
+            image_ref=$(tr -d '\r\n' < "$ref_file")
+            # image_ref shape: ``<registry>/<svc>@sha256:<digest>``. The
+            # registry path is the durable identifier; the tag is the SHA we
+            # already pushed alongside the digest in ``build-aks-images``.
+            repo="${image_ref%@*}"
+            tag="${DEPLOY_SHA}"
+            if [ "$svc" = "crud-service" ]; then
+              target=".kubernetes/releases/crud/${svc}.yaml"
+            else
+              target=".kubernetes/releases/agents/${svc}.yaml"
+            fi
+            if [ ! -f "$target" ]; then
+              echo "::warning::no HelmRelease found for ${svc} at ${target}"
+              continue
+            fi
+            python3 scripts/ci/update_helmrelease_image.py "$target" "$repo" "$tag"
+            if ! git diff --quiet -- "$target"; then
+              updated_services+=("$svc")
+              changed=$((changed + 1))
+            fi
+          done
+          echo "changed_count=${changed}" >> "$GITHUB_OUTPUT"
+          if [ "${changed}" -gt 0 ]; then
+            printf 'updated_services=%s\n' "${updated_services[*]}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Open or refresh PR
+        if: ${{ steps.update.outputs.changed_count != '0' }}
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          UPDATED_SERVICES: ${{ steps.update.outputs.updated_services }}
+        run: |
+          set -euo pipefail
+          short="${DEPLOY_SHA:0:12}"
+          branch="chore/image-bump-${DEPLOY_ENV}-${short}"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git switch -c "$branch"
+          git add .kubernetes/releases
+          git commit -m "chore(deploy): bump ${DEPLOY_ENV} HelmRelease image tags to ${short}" \
+                     -m "Triggered by deploy-azd run ${{ github.run_id }}. Services: ${UPDATED_SERVICES}. Merge to roll new images via Flux reconciliation."
+          git push -f origin "$branch"
+          existing=$(gh pr list --state open --head "$branch" --base "${DEFAULT_BRANCH:-main}" --json number --jq '.[0].number // ""' 2>/dev/null || echo '')
+          if [ -z "${existing}" ]; then
+            gh pr create \
+              --base "${DEFAULT_BRANCH:-main}" \
+              --head "$branch" \
+              --title "chore(deploy): bump ${DEPLOY_ENV} HelmRelease image tags to ${short}" \
+              --body "Auto-generated by [deploy-azd run ${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+
+          Updates HelmRelease \`image.repository\` and \`image.tag\` to the freshly built & tested images at SHA \`${DEPLOY_SHA}\` for environment **${DEPLOY_ENV}**.
+
+          **Services updated (${{ steps.update.outputs.changed_count }}):** ${UPDATED_SERVICES}
+
+          Merging this PR triggers Flux reconciliation, which rolls the new images. No additional action required after merge."
+          else
+            echo "PR #${existing} already open against ${branch}; force-pushed branch HEAD."
+          fi
 
   wait-flux-reconciliation:
     runs-on: ubuntu-latest

.kubernetes/releases/agents/crm-campaign-intelligence.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/crm-campaign-intelligence-dev
-      tag: azd-deploy-1775344528
+      repository: holidaypeakhub405devacr.azurecr.io/crm-campaign-intelligence
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/crm-profile-aggregation.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/crm-profile-aggregation-dev
-      tag: azd-deploy-1775344626
+      repository: holidaypeakhub405devacr.azurecr.io/crm-profile-aggregation
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/crm-segmentation-personalization.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/crm-segmentation-personalization-dev
-      tag: azd-deploy-1775344793
+      repository: holidaypeakhub405devacr.azurecr.io/crm-segmentation-personalization
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/crm-support-assistance.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/crm-support-assistance-dev
-      tag: azd-deploy-1775345018
+      repository: holidaypeakhub405devacr.azurecr.io/crm-support-assistance
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/ecommerce-cart-intelligence.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/ecommerce-cart-intelligence-dev
-      tag: azd-deploy-1775345183
+      repository: holidaypeakhub405devacr.azurecr.io/ecommerce-cart-intelligence
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/ecommerce-catalog-search.yaml

@@ -32,8 +32,8 @@ spec:
       clientId: "036f4fd2-9093-4948-b0dd-beb5c87aa6dc"
 
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/ecommerce-catalog-search-dev
-      tag: deterministic-fanout-20260420-190823
+      repository: holidaypeakhub405devacr.azurecr.io/ecommerce-catalog-search
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
 
     replicaCount: 1
 

.kubernetes/releases/agents/ecommerce-checkout-support.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/ecommerce-checkout-support-dev
-      tag: azd-deploy-1775345620
+      repository: holidaypeakhub405devacr.azurecr.io/ecommerce-checkout-support
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/ecommerce-order-status.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/ecommerce-order-status-dev
-      tag: azd-deploy-1775345850
+      repository: holidaypeakhub405devacr.azurecr.io/ecommerce-order-status
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits:

.kubernetes/releases/agents/ecommerce-product-detail-enrichment.yaml

@@ -29,8 +29,8 @@ spec:
       create: true
       clientId: 036f4fd2-9093-4948-b0dd-beb5c87aa6dc
     image:
-      repository: holidaypeakhub405devacr.azurecr.io/holiday-peak-hub/ecommerce-product-detail-enrichment-dev
-      tag: azd-deploy-1775346091
+      repository: holidaypeakhub405devacr.azurecr.io/ecommerce-product-detail-enrichment
+      tag: 808d48227b08ceaf9f2d820010e02edf5250b57f
     replicaCount: 2
     resources:
       limits: