fix(cd): P0 雙跳過保護 - 防止 ImagePullBackOff

首席架構師審查 2026-03-29: - 問題: 當 API/Web build 都跳過時，kustomize 仍含 IMAGE_TAG_PLACEHOLDER - 影響: kubectl apply 部署無效映像 → ImagePullBackOff - 修復: 檢測雙跳過，只做 Secrets 同步，跳過 Deployment apply Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-29 16:18:14 +08:00
parent f87c30b1c7
commit cf6cf1ff20
1 changed files with 16 additions and 0 deletions
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -354,16 +354,24 @@ jobs:
          fi
          echo "✅ K8s Secrets 同步完成"

+      # =======================================================================
+      # 2026-03-29 首席架構師審查: P0 修復 - 雙跳過保護機制
+      # 問題: 當 API 和 Web build 都跳過時，kustomize 仍包含 IMAGE_TAG_PLACEHOLDER
+      #       導致 kubectl apply 部署無效映像 → ImagePullBackOff
+      # 修復: 檢測雙跳過情況，只做 Secrets 同步，跳過 Deployment apply
+      # =======================================================================
      - name: Deploy
        run: |
          cd k8s/awoooi-prod
          TAG="${{ steps.tag.outputs.tag }}"
+          IMAGES_UPDATED=0

          # 只更新實際建構的 image (避免 ImagePullBackOff)
          if [ "${{ needs.build-api.result }}" = "success" ]; then
            echo "📦 更新 API image: ${{ env.IMAGE_PREFIX }}-api:${TAG}"
            kustomize edit set image \
              "192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-api:${TAG}"
+            IMAGES_UPDATED=$((IMAGES_UPDATED + 1))
          else
            echo "⏭️ 跳過 API image 更新 (build skipped)"
          fi
@@ -372,10 +380,18 @@ jobs:
            echo "📦 更新 Web image: ${{ env.IMAGE_PREFIX }}-web:${TAG}"
            kustomize edit set image \
              "192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER=${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-web:${TAG}"
+            IMAGES_UPDATED=$((IMAGES_UPDATED + 1))
          else
            echo "⏭️ 跳過 Web image 更新 (build skipped)"
          fi

+          # 🔴 P0 保護: 雙跳過時不執行 kubectl apply (防止 IMAGE_TAG_PLACEHOLDER 被部署)
+          if [ "$IMAGES_UPDATED" -eq 0 ]; then
+            echo "⚠️ 雙 Build 都跳過，跳過 Deployment apply (防止 ImagePullBackOff)"
+            echo "   只同步了 Secrets/ConfigMap，Pod 保持現有版本"
+            exit 0
+          fi
+
          kubectl apply -k .

      # 2026-03-29 ogt: NetworkPolicy 單獨 apply (避免 commonLabels 破壞 DNS rule)