From cf6cf1ff2036e03b901f2627f3ce28943a5c7e49 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Sun, 29 Mar 2026 16:18:14 +0800
Subject: [PATCH] =?UTF-8?q?fix(cd):=20P0=20=E9=9B=99=E8=B7=B3=E9=81=8E?=
 =?UTF-8?q?=E4=BF=9D=E8=AD=B7=20-=20=E9=98=B2=E6=AD=A2=20ImagePullBackOff?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

首席架構師審查 2026-03-29:
- 問題: 當 API/Web build 都跳過時，kustomize 仍含 IMAGE_TAG_PLACEHOLDER
- 影響: kubectl apply 部署無效映像 → ImagePullBackOff
- 修復: 檢測雙跳過，只做 Secrets 同步，跳過 Deployment apply

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/cd.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
index 0b6252f4..f9f47b4a 100644
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -354,16 +354,24 @@ jobs:
           fi
           echo "✅ K8s Secrets 同步完成"
 
+      # =======================================================================
+      # 2026-03-29 首席架構師審查: P0 修復 - 雙跳過保護機制
+      # 問題: 當 API 和 Web build 都跳過時，kustomize 仍包含 IMAGE_TAG_PLACEHOLDER
+      #       導致 kubectl apply 部署無效映像 → ImagePullBackOff
+      # 修復: 檢測雙跳過情況，只做 Secrets 同步，跳過 Deployment apply
+      # =======================================================================
       - name: Deploy
         run: |
           cd k8s/awoooi-prod
           TAG="${{ steps.tag.outputs.tag }}"
+          IMAGES_UPDATED=0
 
           # 只更新實際建構的 image (避免 ImagePullBackOff)
           if [ "${{ needs.build-api.result }}" = "success" ]; then
             echo "📦 更新 API image: ${{ env.IMAGE_PREFIX }}-api:${TAG}"
             kustomize edit set image \
               "192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-api:${TAG}"
+            IMAGES_UPDATED=$((IMAGES_UPDATED + 1))
           else
             echo "⏭️ 跳過 API image 更新 (build skipped)"
           fi
@@ -372,10 +380,18 @@ jobs:
             echo "📦 更新 Web image: ${{ env.IMAGE_PREFIX }}-web:${TAG}"
             kustomize edit set image \
               "192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-web:${TAG}"
+            IMAGES_UPDATED=$((IMAGES_UPDATED + 1))
           else
             echo "⏭️ 跳過 Web image 更新 (build skipped)"
           fi
 
+          # 🔴 P0 保護: 雙跳過時不執行 kubectl apply (防止 IMAGE_TAG_PLACEHOLDER 被部署)
+          if [ "$IMAGES_UPDATED" -eq 0 ]; then
+            echo "⚠️ 雙 Build 都跳過，跳過 Deployment apply (防止 ImagePullBackOff)"
+            echo "   只同步了 Secrets/ConfigMap，Pod 保持現有版本"
+            exit 0
+          fi
+
           kubectl apply -k .
 
       # 2026-03-29 ogt: NetworkPolicy 單獨 apply (避免 commonLabels 破壞 DNS rule)