Merge branch 'dev'

Author: MartinPaulEve

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ on:
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -92,27 +92,67 @@ jobs:
       - name: Tear down the Stack
         run: docker compose -f docker-compose.github.yml down
 
-  deploy:
-    name: Deploy
+  release-main:
+    # Bumps the version with commitizen, then builds, pushes images, and
+    # deploys — all in one workflow run so every main release is deployed
+    # at exactly the version it claims. The bump commit is only pushed
+    # back to main after the ECR push succeeds, so a failed build never
+    # leaves a stranded bump on the branch. Skipped on bump: commits
+    # (already deployed by the run that created them) to avoid recursion.
+    name: Release (main)
     runs-on: ubuntu-24.04-arm
     needs: [linter, test]
-    if: github.event_name == 'push'
-    environment: ${{ github.ref_name == 'main' && 'production' || 'dev' }}
+    if: github.event_name == 'push' && github.ref_name == 'main' && !startsWith(github.event.head_commit.message, 'bump:')
+    environment: production
 
     env:
       AWS_REGION: us-east-1
-      # Branch-based environment config
-      ECR_REPOSITORY: ${{ github.ref_name == 'main' && 'kcprofiles' || 'kcprofiles-dev' }}
-      ECR_REPOSITORY_TRAEFIK: ${{ github.ref_name == 'main' && 'kcprofiles-traefik' || 'kcprofiles-traefik-dev' }}
+      ECR_REPOSITORY: kcprofiles
+      ECR_REPOSITORY_TRAEFIK: kcprofiles-traefik
       ECR_REPOSITORY_MONITOR: kcprofiles-monitor
-      ECS_CLUSTER: ${{ github.ref_name == 'main' && 'kcprofiles' || 'kcprofiles-dev-2' }}
-      ECS_SERVICE: ${{ github.ref_name == 'main' && 'kcprofiles-blue' || 'kcprofiles-dev' }}
-      AUTOSCALE_GROUP: ${{ github.ref_name == 'main' && 'Infra-ECS-Cluster-kcprofiles-ee645084-ECSAutoScalingGroup-v3MrRnH7laIx' || 'Infra-ECS-Cluster-kcprofiles-dev-2-f89c2350-ECSAutoScalingGroup-zUYaGlEf1GWi' }}
-      COMPOSE_FILE: ${{ github.ref_name == 'main' && 'docker-compose.production.yml' || 'docker-compose.dev.yml' }}
+      ECS_CLUSTER: kcprofiles
+      ECS_SERVICE: kcprofiles-blue
+      AUTOSCALE_GROUP: Infra-ECS-Cluster-kcprofiles-ee645084-ECSAutoScalingGroup-v3MrRnH7laIx
+      COMPOSE_FILE: docker-compose.production.yml
 
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ssh-key: ${{ secrets.COMMIT_KEY }}
+
+      - name: Bump version with commitizen
+        id: bump
+        env:
+          COMMITIZEN_VERSION: "4.16.2"
+        run: |
+          python3 -m pip install --user "commitizen==${COMMITIZEN_VERSION}"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          PRE_SHA=$(git rev-parse HEAD)
+          set +e
+          "$HOME/.local/bin/cz" bump --yes
+          EXIT_CODE=$?
+          set -e
+          POST_SHA=$(git rev-parse HEAD)
+          if [ "$EXIT_CODE" = "0" ] && [ "$PRE_SHA" != "$POST_SHA" ]; then
+            echo "bumped=true" >> $GITHUB_OUTPUT
+          elif [ "$EXIT_CODE" = "0" ] || [ "$EXIT_CODE" = "21" ]; then
+            # cz returned 21 (NoCommitsFoundError) or succeeded without
+            # changing HEAD: nothing semantic to bump, deploy at the
+            # existing version.
+            echo "bumped=false" >> $GITHUB_OUTPUT
+          else
+            echo "cz bump failed unexpectedly with exit code $EXIT_CODE" >&2
+            exit "$EXIT_CODE"
+          fi
+
+      - name: Identify bump commit
+        id: bump_commit
+        run: |
+          BUMP_SHA=$(git rev-parse HEAD)
+          echo "sha=$BUMP_SHA" >> $GITHUB_OUTPUT
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v6
@@ -128,60 +168,51 @@ jobs:
         id: project_version
         run: |
           VERSION=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
-          SHORT_SHA="${GITHUB_SHA::7}"
+          SHORT_SHA=$(git rev-parse --short=7 HEAD)
           echo "version=v${VERSION}" >> $GITHUB_OUTPUT
           echo "build=v${VERSION}-${SHORT_SHA}" >> $GITHUB_OUTPUT
 
       - name: Build, tag, and push images to Amazon ECR
         id: build-image
         env:
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          IMAGE_TAG: ${{ github.sha }}
+          IMAGE_TAG: ${{ steps.bump_commit.outputs.sha }}
           VERSION_TAG: ${{ steps.project_version.outputs.version }}
           BUILD_TAG: ${{ steps.project_version.outputs.build }}
         run: |
           docker compose -f $COMPOSE_FILE build
 
           # Re-tag the freshly built images with the meaningful version-anchored
           # names used for emergency rollback. BUILD_TAG (vX.Y.Z-<sha7>) is
-          # always unique; VERSION_TAG (vX.Y.Z) is published only on main, where
-          # commitizen guarantees a unique version per release.
+          # always unique; VERSION_TAG (vX.Y.Z) tracks the latest build of a
+          # given release on main.
           docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
             $ECR_REGISTRY/$ECR_REPOSITORY:$BUILD_TAG
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
+            $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG
           docker tag $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG \
             $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$BUILD_TAG
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG \
+            $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$VERSION_TAG
 
           # Push Django image
           docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
           docker push $ECR_REGISTRY/$ECR_REPOSITORY:$BUILD_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG
           docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
 
           # Push Traefik image
           docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG
           docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$BUILD_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$VERSION_TAG
           docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:latest
 
           echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
 
-      - name: Tag and push canonical version tag (main only)
-        if: github.ref_name == 'main'
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          IMAGE_TAG: ${{ github.sha }}
-          VERSION_TAG: ${{ steps.project_version.outputs.version }}
-        run: |
-          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
-            $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG
-          docker tag $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG \
-            $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$VERSION_TAG
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$VERSION_TAG
-
       - name: Build, tag, and push monitor image
-        if: github.ref_name == 'main'
         env:
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          IMAGE_TAG: ${{ github.sha }}
+          IMAGE_TAG: ${{ steps.bump_commit.outputs.sha }}
           VERSION_TAG: ${{ steps.project_version.outputs.version }}
           BUILD_TAG: ${{ steps.project_version.outputs.build }}
         run: |
@@ -195,6 +226,91 @@ jobs:
           docker push $ECR_REGISTRY/$ECR_REPOSITORY_MONITOR:$VERSION_TAG
           docker push $ECR_REGISTRY/$ECR_REPOSITORY_MONITOR:latest
 
+      - name: Push bump commit and tag to main
+        # Only happens after every ECR push above has succeeded; a failure
+        # in the build leaves no stranded bump on the branch. Skipped when
+        # commitizen had nothing semantic to bump.
+        if: steps.bump.outputs.bumped == 'true'
+        run: |
+          git push origin main --tags
+
+      - name: Force deployment
+        continue-on-error: true
+        run: |
+          aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment
+          aws autoscaling start-instance-refresh --auto-scaling-group-name $AUTOSCALE_GROUP --region $AWS_REGION --preferences '{"SkipMatching": false}'
+
+      - name: Set a Sentry release
+        uses: getsentry/action-release@v3
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+        with:
+          environment: production
+          ignore_missing: true
+
+  deploy-dev:
+    name: Deploy (dev)
+    runs-on: ubuntu-24.04-arm
+    needs: [linter, test]
+    if: github.event_name == 'push' && github.ref_name == 'dev'
+    environment: dev
+
+    env:
+      AWS_REGION: us-east-1
+      ECR_REPOSITORY: kcprofiles-dev
+      ECR_REPOSITORY_TRAEFIK: kcprofiles-traefik-dev
+      ECS_CLUSTER: kcprofiles-dev-2
+      ECS_SERVICE: kcprofiles-dev
+      AUTOSCALE_GROUP: Infra-ECS-Cluster-kcprofiles-dev-2-f89c2350-ECSAutoScalingGroup-zUYaGlEf1GWi
+      COMPOSE_FILE: docker-compose.dev.yml
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::755997884632:role/github-actions-kcprofiles
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Extract project version
+        id: project_version
+        run: |
+          VERSION=$(python3 -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+          SHORT_SHA="${GITHUB_SHA::7}"
+          echo "build=v${VERSION}-${SHORT_SHA}" >> $GITHUB_OUTPUT
+
+      - name: Build, tag, and push images to Amazon ECR
+        id: build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+          BUILD_TAG: ${{ steps.project_version.outputs.build }}
+        run: |
+          docker compose -f $COMPOSE_FILE build
+
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \
+            $ECR_REGISTRY/$ECR_REPOSITORY:$BUILD_TAG
+          docker tag $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG \
+            $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$BUILD_TAG
+
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$BUILD_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$IMAGE_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:$BUILD_TAG
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY_TRAEFIK:latest
+
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
       - name: Force deployment
         continue-on-error: true
         run: |
@@ -208,5 +324,5 @@ jobs:
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
         with:
-          environment: ${{ github.ref_name == 'main' && 'production' || 'dev' }}
+          environment: dev
           ignore_missing: true

.github/workflows/version-release.yml

@@ -20,25 +20,23 @@ build time. `<sha7>` is the first 7 characters of the commit SHA.
 
 ## Why the `-<sha7>` suffix?
 
-Disambiguation. On `dev`, commitizen never bumps the version (the
-`Bump version` workflow only runs on pushes to `main`), so every dev
-deploy would otherwise compete for the same `v<version>` tag and the
-previous build would be untaggable by name. Appending the short SHA
-gives every build its own immutable, version-anchored handle.
+Disambiguation. On `dev`, commitizen never bumps the version, so every
+dev deploy would otherwise compete for the same `v<version>` tag and
+the previous build would be untaggable by name. Appending the short
+SHA gives every build its own immutable, version-anchored handle.
 
-On `main` the same suffix is still pushed for two reasons:
-
-1. Between a feature merge and the commitizen bump that follows, two
-   commits can deploy with the same `v<version>` value, so the suffix
-   keeps each build addressable.
-2. Symmetry: rollback procedures are the same on both environments.
+On `main` the same suffix is still pushed for symmetry — the rollback
+procedure is identical on both environments, and the suffix gives a
+guaranteed-unique handle even if the same release is rebuilt (for
+example, a CI retry on the same commit).
 
 ## Why `v<version>` is `main`-only
 
-`main` runs commitizen on every push and guarantees a fresh version per
-release, so `v<version>` is a stable name for "the build that
-corresponds to release X.Y.Z." On `dev` the same tag would change
-meaning every push, which is misleading — so we don't publish it there.
+`main` runs commitizen as part of every release run, which bumps the
+version before the build, so `v<version>` is a stable name for "the
+build that corresponds to release X.Y.Z." On `dev` the same tag would
+change meaning every push, which is misleading — so we don't publish
+it there.
 
 ## Example
 
@@ -79,7 +77,13 @@ build is published it moves forward.
 
 ## Where the tagging is configured
 
-`.github/workflows/ci.yml`, in the `deploy` job. The `Extract project
-version` step reads `pyproject.toml` via `tomllib`; subsequent build
-and push steps consume `steps.project_version.outputs.version`
-(`v<version>`) and `.build` (`v<version>-<sha7>`).
+`.github/workflows/ci.yml`. The `release-main` job (on `main`) runs
+commitizen first, then extracts the version, builds, and pushes; the
+`deploy-dev` job (on `dev`) skips the bump. Both jobs read
+`pyproject.toml` via `tomllib` in the `Extract project version` step,
+and subsequent build/push steps consume
+`steps.project_version.outputs.version` (`v<version>`) and `.build`
+(`v<version>-<sha7>`). On `main`, the SHA used in `<sha7>` and as the
+exact-commit tag is the **bump commit** (the one created by
+commitizen inside the same workflow run), not the merge commit that
+triggered the run.