Add drain and resume mutation for build_id rollout state

Operators could see per-build-id rollout state via
GET /api/task-queues/{taskQueue}/build-ids, but there was no way to
mark a build_id cohort as draining before removing the older workers.
Without that mutation, rollouts had to rely on stopping each worker
process by hand, which is easy to mis-sequence when rolling back a
bad build or cutting over from unversioned to versioned workers.

Add two POST endpoints on the same route prefix:

- POST /api/task-queues/{taskQueue}/build-ids/drain
- POST /api/task-queues/{taskQueue}/build-ids/resume

Both take a {"build_id": "..."} body; passing null targets the
unversioned cohort (the pre-rollout default). The call is idempotent,
so repeated drains do not shift the recorded drained_at timestamp.

Drain intent persists in a new workflow_worker_build_id_rollouts
table keyed on (namespace, task_queue, build_id), with the empty
string used as the sentinel for the unversioned cohort so the unique
index behaves consistently across SQLite/MySQL/PostgreSQL/SQL Server
(null is treated as distinct in unique indexes on several backends).

Worker register and heartbeat paths now stamp the registration with
status='draining' whenever the cohort carries drain_intent='draining',
so an in-flight worker cannot clobber the operator intent by heart-
beating itself back to active. Resuming a cohort clears drain_intent,
wipes drained_at, and flips any already-draining worker rows back to
active so the read endpoint reports honest state immediately.

The read endpoint gains drain_intent and drained_at fields per cohort
and continues to surface drained cohorts even after their worker rows
are removed, so rollout state stays visible when workers are torn
down. rollout_status reflects operator intent: an active cohort that
has been drained reports active_with_draining, and a drained cohort
with no live workers reports draining instead of stale_only.

The route is /operator/ scoped like the rest of the task-queues
prefix, and both endpoints are covered by the control-plane version
and operational-success contract tests.

Author: durable-workflow-ops

app/Http/Controllers/Api/TaskQueueController.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers\Api;
 
+use App\Models\WorkerBuildIdRollout;
 use App\Models\WorkerRegistration;
 use App\Support\ControlPlaneProtocol;
 use App\Support\TaskQueueAdmission;
@@ -149,20 +150,29 @@ public function buildIds(Request $request, string $taskQueue): JsonResponse
             }
         }
 
+        $rolloutMap = $this->rolloutsForTaskQueue($namespace, $taskQueue);
+
         $buildIds = [];
         foreach ($groups as $group) {
             $runtimes = array_keys($group['runtimes']);
             sort($runtimes);
             $sdkVersions = array_keys($group['sdk_versions']);
             sort($sdkVersions);
 
+            $rolloutKey = WorkerBuildIdRollout::buildIdKey($group['build_id']);
+            $rollout = $rolloutMap[$rolloutKey] ?? null;
+            $drainIntent = $rollout?->drain_intent ?? WorkerBuildIdRollout::DRAIN_INTENT_ACTIVE;
+
             $buildIds[] = [
                 'build_id' => $group['build_id'],
                 'rollout_status' => $this->buildIdRolloutStatus(
                     $group['active_worker_count'],
                     $group['draining_worker_count'],
                     $group['stale_worker_count'],
+                    $drainIntent,
                 ),
+                'drain_intent' => $drainIntent,
+                'drained_at' => $rollout?->drained_at?->toJSON(),
                 'active_worker_count' => $group['active_worker_count'],
                 'draining_worker_count' => $group['draining_worker_count'],
                 'stale_worker_count' => $group['stale_worker_count'],
@@ -174,6 +184,35 @@ public function buildIds(Request $request, string $taskQueue): JsonResponse
             ];
         }
 
+        // Surface rollout intent even for cohorts whose worker rows have
+        // been removed: operators still need to see "this build_id is
+        // marked draining" until they explicitly resume it.
+        foreach ($rolloutMap as $key => $rollout) {
+            if (isset($groups[$key === '' ? '__unversioned__' : $key])) {
+                continue;
+            }
+
+            $buildIds[] = [
+                'build_id' => $rollout->publicBuildId(),
+                'rollout_status' => $this->buildIdRolloutStatus(
+                    0,
+                    0,
+                    0,
+                    $rollout->drain_intent,
+                ),
+                'drain_intent' => $rollout->drain_intent,
+                'drained_at' => $rollout->drained_at?->toJSON(),
+                'active_worker_count' => 0,
+                'draining_worker_count' => 0,
+                'stale_worker_count' => 0,
+                'total_worker_count' => 0,
+                'runtimes' => [],
+                'sdk_versions' => [],
+                'last_heartbeat_at' => null,
+                'first_seen_at' => null,
+            ];
+        }
+
         usort($buildIds, function (array $a, array $b): int {
             $rankA = $this->buildIdRolloutRank($a);
             $rankB = $this->buildIdRolloutRank($b);
@@ -194,16 +233,137 @@ public function buildIds(Request $request, string $taskQueue): JsonResponse
         ]);
     }
 
-    private function buildIdRolloutStatus(int $active, int $draining, int $stale): string
+    /**
+     * Mark a build_id cohort as draining so operators can cut traffic off
+     * a build before deleting its workers. Passing null for build_id drains
+     * the unversioned cohort (the pre-rollout default). The call is
+     * idempotent: repeated drains return the existing rollout record.
+     */
+    public function drainBuildId(Request $request, string $taskQueue): JsonResponse
+    {
+        return $this->setBuildIdDrainIntent(
+            $request,
+            $taskQueue,
+            WorkerBuildIdRollout::DRAIN_INTENT_DRAINING,
+        );
+    }
+
+    /**
+     * Revert an earlier drain so the build_id cohort can accept work again
+     * (rollback path). Passing null for build_id resumes the unversioned
+     * cohort. The call is idempotent.
+     */
+    public function resumeBuildId(Request $request, string $taskQueue): JsonResponse
+    {
+        return $this->setBuildIdDrainIntent(
+            $request,
+            $taskQueue,
+            WorkerBuildIdRollout::DRAIN_INTENT_ACTIVE,
+        );
+    }
+
+    private function setBuildIdDrainIntent(Request $request, string $taskQueue, string $intent): JsonResponse
+    {
+        if ($response = ControlPlaneProtocol::rejectUnsupported($request)) {
+            return $response;
+        }
+
+        $validated = $request->validate([
+            'build_id' => ['present', 'nullable', 'string', 'max:255'],
+        ]);
+
+        $namespace = (string) $request->attributes->get('namespace');
+        $publicBuildId = is_string($validated['build_id']) && trim($validated['build_id']) !== ''
+            ? trim($validated['build_id'])
+            : null;
+        $key = WorkerBuildIdRollout::buildIdKey($publicBuildId);
+        $now = now();
+
+        $rollout = WorkerBuildIdRollout::query()->firstOrNew([
+            'namespace' => $namespace,
+            'task_queue' => $taskQueue,
+            'build_id' => $key,
+        ]);
+
+        $draining = $intent === WorkerBuildIdRollout::DRAIN_INTENT_DRAINING;
+        $wasDraining = $rollout->drain_intent === WorkerBuildIdRollout::DRAIN_INTENT_DRAINING;
+
+        $rollout->drain_intent = $intent;
+        $rollout->drained_at = $draining
+            ? ($wasDraining ? $rollout->drained_at : $now)
+            : null;
+        $rollout->save();
+
+        if (! $draining) {
+            // Clear the draining status we stamped on worker rows so the
+            // next heartbeat is not forced back to draining by the resume
+            // path. Workers that are still running will have their status
+            // restamped to active on their next heartbeat anyway, but
+            // clearing immediately keeps the read endpoint honest.
+            WorkerRegistration::query()
+                ->where('namespace', $namespace)
+                ->where('task_queue', $taskQueue)
+                ->when(
+                    $publicBuildId !== null,
+                    fn ($query) => $query->where('build_id', $publicBuildId),
+                    fn ($query) => $query->where(function ($q) {
+                        $q->whereNull('build_id')->orWhere('build_id', '');
+                    }),
+                )
+                ->where('status', WorkerBuildIdRollout::DRAIN_INTENT_DRAINING)
+                ->update(['status' => 'active']);
+        }
+
+        return ControlPlaneProtocol::json([
+            'namespace' => $namespace,
+            'task_queue' => $taskQueue,
+            'build_id' => $publicBuildId,
+            'drain_intent' => $rollout->drain_intent,
+            'drained_at' => $rollout->drained_at?->toJSON(),
+        ]);
+    }
+
+    /**
+     * @return array<string, WorkerBuildIdRollout>
+     */
+    private function rolloutsForTaskQueue(string $namespace, string $taskQueue): array
     {
+        $rollouts = WorkerBuildIdRollout::query()
+            ->where('namespace', $namespace)
+            ->where('task_queue', $taskQueue)
+            ->get();
+
+        $map = [];
+        foreach ($rollouts as $rollout) {
+            $map[(string) $rollout->build_id] = $rollout;
+        }
+
+        return $map;
+    }
+
+    private function buildIdRolloutStatus(
+        int $active,
+        int $draining,
+        int $stale,
+        string $drainIntent = WorkerBuildIdRollout::DRAIN_INTENT_ACTIVE,
+    ): string {
+        $intentDraining = $drainIntent === WorkerBuildIdRollout::DRAIN_INTENT_DRAINING;
+
         if ($active > 0) {
-            return $draining > 0 ? 'active_with_draining' : 'active';
+            return $intentDraining || $draining > 0 ? 'active_with_draining' : 'active';
         }
 
         if ($draining > 0) {
             return 'draining';
         }
 
+        if ($intentDraining) {
+            // Operator intent is to drain, but no live workers remain to
+            // acknowledge it. Keep the cohort visible as draining so the
+            // rollout state is clear even after stale workers are purged.
+            return 'draining';
+        }
+
         return $stale > 0 ? 'stale_only' : 'no_workers';
     }
 

app/Http/Controllers/Api/WorkerController.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers\Api;
 
+use App\Models\WorkerBuildIdRollout;
 use App\Models\WorkerRegistration;
 use App\Support\HistoryRetentionEnforcer;
 use App\Support\NamespaceWorkflowScope;
@@ -98,6 +99,12 @@ public function register(Request $request): JsonResponse
             );
         }
 
+        $registrationStatus = $this->workerRegistrationStatus(
+            $namespace,
+            $validated['task_queue'],
+            $validated['build_id'] ?? null,
+        );
+
         WorkerRegistration::updateOrCreate(
             [
                 'worker_id' => $workerId,
@@ -114,7 +121,7 @@ public function register(Request $request): JsonResponse
                 'max_concurrent_workflow_tasks' => $validated['max_concurrent_workflow_tasks'] ?? 100,
                 'max_concurrent_activity_tasks' => $validated['max_concurrent_activity_tasks'] ?? 100,
                 'last_heartbeat_at' => now(),
-                'status' => 'active',
+                'status' => $registrationStatus,
             ]
         );
 
@@ -240,9 +247,15 @@ public function heartbeat(Request $request): JsonResponse
             ], 404);
         }
 
+        $heartbeatStatus = $this->workerRegistrationStatus(
+            $worker->namespace,
+            $worker->task_queue,
+            is_string($worker->build_id) ? $worker->build_id : null,
+        );
+
         $worker->update([
             'last_heartbeat_at' => now(),
-            'status' => 'active',
+            'status' => $heartbeatStatus,
         ]);
 
         StandaloneWorkerVisibility::recordCompatibility(
@@ -1166,4 +1179,30 @@ private function workflowTaskStopReason(mixed $runStatus): string
             default => 'run_closed',
         };
     }
+
+    /**
+     * Derive the worker status to stamp on register/heartbeat from operator
+     * rollout intent. If an operator has marked this build_id cohort as
+     * draining, incoming worker rows stay draining across heartbeats so the
+     * drain intent cannot be clobbered by ordinary polling traffic.
+     */
+    private function workerRegistrationStatus(
+        string $namespace,
+        string $taskQueue,
+        ?string $buildId,
+    ): string {
+        $key = WorkerBuildIdRollout::buildIdKey($buildId);
+
+        $rollout = WorkerBuildIdRollout::query()
+            ->where('namespace', $namespace)
+            ->where('task_queue', $taskQueue)
+            ->where('build_id', $key)
+            ->first();
+
+        if ($rollout instanceof WorkerBuildIdRollout && $rollout->isDraining()) {
+            return WorkerBuildIdRollout::DRAIN_INTENT_DRAINING;
+        }
+
+        return 'active';
+    }
 }

app/Models/WorkerBuildIdRollout.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class WorkerBuildIdRollout extends Model
+{
+    public const DRAIN_INTENT_ACTIVE = 'active';
+
+    public const DRAIN_INTENT_DRAINING = 'draining';
+
+    public const UNVERSIONED_KEY = '';
+
+    protected $table = 'workflow_worker_build_id_rollouts';
+
+    protected $fillable = [
+        'namespace',
+        'task_queue',
+        'build_id',
+        'drain_intent',
+        'drained_at',
+    ];
+
+    protected function casts(): array
+    {
+        return [
+            'drained_at' => 'datetime',
+        ];
+    }
+
+    public static function buildIdKey(?string $buildId): string
+    {
+        if (! is_string($buildId)) {
+            return self::UNVERSIONED_KEY;
+        }
+
+        $trimmed = trim($buildId);
+
+        return $trimmed === '' ? self::UNVERSIONED_KEY : $trimmed;
+    }
+
+    public static function buildIdFromKey(string $key): ?string
+    {
+        return $key === self::UNVERSIONED_KEY ? null : $key;
+    }
+
+    public function publicBuildId(): ?string
+    {
+        return self::buildIdFromKey((string) $this->build_id);
+    }
+
+    public function isDraining(): bool
+    {
+        return $this->drain_intent === self::DRAIN_INTENT_DRAINING;
+    }
+}

database/migrations/2026_04_22_000200_create_workflow_worker_build_id_rollouts_table.php

@@ -0,0 +1,36 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('workflow_worker_build_id_rollouts', function (Blueprint $table) {
+            $table->id();
+            $table->string('namespace', 128);
+            $table->string('task_queue', 255);
+            // Stores the worker build_id or an empty string for the
+            // unversioned cohort (pre-rollout default). Non-null so the
+            // unique index below behaves consistently across backends —
+            // several databases treat null values as distinct in unique
+            // indexes, which would allow duplicate unversioned rows.
+            $table->string('build_id', 255)->default('');
+            $table->string('drain_intent', 32)->default('active');
+            $table->timestamp('drained_at')->nullable();
+            $table->timestamps();
+
+            $table->unique(
+                ['namespace', 'task_queue', 'build_id'],
+                'workflow_build_id_rollouts_scope_unique'
+            );
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('workflow_worker_build_id_rollouts');
+    }
+};

routes/api.php

@@ -145,6 +145,8 @@
     Route::prefix('task-queues')->middleware([$operator, $cpv, $ns])->group(function () {
         Route::get('/', [TaskQueueController::class, 'index']);
         Route::get('/{taskQueue}/build-ids', [TaskQueueController::class, 'buildIds']);
+        Route::post('/{taskQueue}/build-ids/drain', [TaskQueueController::class, 'drainBuildId']);
+        Route::post('/{taskQueue}/build-ids/resume', [TaskQueueController::class, 'resumeBuildId']);
         Route::get('/{taskQueue}', [TaskQueueController::class, 'show']);
     });