From b98f93a62f4db86b6b7394b8b5e7558bf3921b05 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sun, 24 May 2026 14:26:53 +0800
Subject: [PATCH] fix(ci): include argocd resource evidence in rollout risk

---
 .gitea/workflows/cd.yaml | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 6391ec6c..13f5611d 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -978,6 +978,26 @@ jobs:
             fi
           }
 
+          collect_argocd_resource_evidence() {
+            local template
+            local output
+            local status
+            template='{{range .status.resources}}{{if ne .status "Synced"}}{{.kind}}/{{.name}}{{if .namespace}} ns={{.namespace}}{{end}} sync={{.status}}{{if .health.status}} health={{.health.status}}{{end}}{{"\n"}}{{end}}{{if .health.status}}{{if ne .health.status "Healthy"}}{{.kind}}/{{.name}}{{if .namespace}} ns={{.namespace}}{{end}} sync={{.status}} health={{.health.status}}{{if .health.message}} msg={{.health.message}}{{end}}{{"\n"}}{{end}}{{end}}{{end}}'
+            set +e
+            output=$($KUBECTL get application awoooi-prod -n argocd -o "go-template=${template}" 2>&1)
+            status=$?
+            set -e
+            if [ "$status" -ne 0 ]; then
+              echo "resource_query_failed=$(echo "$output" | head -c 180)"
+              return 0
+            fi
+            echo "$output" \
+              | awk 'NF && !seen[$0]++ {print}' \
+              | head -5 \
+              | tr '\n' ';' \
+              | sed 's/[[:cntrl:]]//g; s/;*$//'
+          }
+
           # 等待 ArgoCD Application 同步到目標 revision（最多 180s）。
           # 2026-05-24 Codex: top-level Application health can stay Degraded
           # without per-resource health detail. Treat that as rollout evidence,
@@ -1002,7 +1022,12 @@ jobs:
             if [ "$SYNC" = "Synced" ]; then
               if [ -z "$EXPECTED_REVISION" ] || [ "$REVISION" = "$EXPECTED_REVISION" ]; then
                 if [ "$HEALTH" != "Healthy" ]; then
-                  record_rollout_risk "argocd_health_not_healthy health=$HEALTH revision=$SHORT_REVISION"
+                  RESOURCE_EVIDENCE=$(collect_argocd_resource_evidence)
+                  if [ -n "$RESOURCE_EVIDENCE" ]; then
+                    record_rollout_risk "argocd_health_not_healthy health=$HEALTH revision=$SHORT_REVISION resources=$RESOURCE_EVIDENCE"
+                  else
+                    record_rollout_risk "argocd_health_not_healthy health=$HEALTH revision=$SHORT_REVISION resources=none_visible"
+                  fi
                 fi
                 echo "✅ ArgoCD Synced to target revision (health=$HEALTH)"
                 break
@@ -1060,7 +1085,7 @@ jobs:
             ACTOR="${GITHUB_ACTOR:-${{ github.actor }}}"
             if AWOOI_CICD_STATUS=pending \
               AWOOI_CICD_STAGE=rollout-risk \
-              AWOOI_CICD_JOB_NAME="AWOOOI 部署風險已恢復" \
+              AWOOI_CICD_JOB_NAME="AWOOOI 部署完成但仍有風險證據" \
               AWOOI_CICD_COMMIT_SHA="${GITHUB_SHA}" \
               AWOOI_CICD_TRIGGERED_BY="${ACTOR}" \
               AWOOI_CICD_SUMMARY="${ROLLOUT_SUMMARY}" \