diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 0b6252f4..f9f47b4a 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -354,16 +354,24 @@ jobs: fi echo "✅ K8s Secrets 同步完成" + # ======================================================================= + # 2026-03-29 首席架構師審查: P0 修復 - 雙跳過保護機制 + # 問題: 當 API 和 Web build 都跳過時,kustomize 仍包含 IMAGE_TAG_PLACEHOLDER + # 導致 kubectl apply 部署無效映像 → ImagePullBackOff + # 修復: 檢測雙跳過情況,只做 Secrets 同步,跳過 Deployment apply + # ======================================================================= - name: Deploy run: | cd k8s/awoooi-prod TAG="${{ steps.tag.outputs.tag }}" + IMAGES_UPDATED=0 # 只更新實際建構的 image (避免 ImagePullBackOff) if [ "${{ needs.build-api.result }}" = "success" ]; then echo "📦 更新 API image: ${{ env.IMAGE_PREFIX }}-api:${TAG}" kustomize edit set image \ "192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-api:${TAG}" + IMAGES_UPDATED=$((IMAGES_UPDATED + 1)) else echo "⏭️ 跳過 API image 更新 (build skipped)" fi @@ -372,10 +380,18 @@ jobs: echo "📦 更新 Web image: ${{ env.IMAGE_PREFIX }}-web:${TAG}" kustomize edit set image \ "192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-web:${TAG}" + IMAGES_UPDATED=$((IMAGES_UPDATED + 1)) else echo "⏭️ 跳過 Web image 更新 (build skipped)" fi + # 🔴 P0 保護: 雙跳過時不執行 kubectl apply (防止 IMAGE_TAG_PLACEHOLDER 被部署) + if [ "$IMAGES_UPDATED" -eq 0 ]; then + echo "⚠️ 雙 Build 都跳過,跳過 Deployment apply (防止 ImagePullBackOff)" + echo " 只同步了 Secrets/ConfigMap,Pod 保持現有版本" + exit 0 + fi + kubectl apply -k . # 2026-03-29 ogt: NetworkPolicy 單獨 apply (避免 commonLabels 破壞 DNS rule)