fix(backend,runner): track GitHub App token expiry for proactive refresh #2788
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Component Docker Images | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '.github/workflows/components-build-deploy.yml' | |
| - 'components/manifests/**' | |
| - 'components/runners/**' | |
| - 'components/operator/**' | |
| - 'components/backend/**' | |
| - 'components/frontend/**' | |
| - 'components/public-api/**' | |
| - 'components/ambient-api-server/**' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - '.github/workflows/components-build-deploy.yml' | |
| - 'components/manifests/**' | |
| - 'components/runners/**' | |
| - 'components/operator/**' | |
| - 'components/backend/**' | |
| - 'components/frontend/**' | |
| - 'components/public-api/**' | |
| - 'components/ambient-api-server/**' | |
| workflow_dispatch: | |
| inputs: | |
| force_build_all: | |
| description: 'Force rebuild all components' | |
| required: false | |
| type: boolean | |
| default: false | |
| components: | |
| description: 'Components to build (comma-separated: frontend,backend,operator,claude-runner,state-sync,public-api,ambient-api-server) - leave empty for all' | |
| required: false | |
| type: string | |
| default: '' | |
| concurrency: | |
| group: components-build-deploy-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| detect-changes: | |
| if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
| runs-on: ubuntu-latest | |
| outputs: | |
| frontend: ${{ steps.filter.outputs.frontend }} | |
| backend: ${{ steps.filter.outputs.backend }} | |
| operator: ${{ steps.filter.outputs.operator }} | |
| claude-runner: ${{ steps.filter.outputs.claude-runner }} | |
| state-sync: ${{ steps.filter.outputs.state-sync }} | |
| public-api: ${{ steps.filter.outputs.public-api }} | |
| ambient-api-server: ${{ steps.filter.outputs.ambient-api-server }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - name: Check for component changes | |
| uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| frontend: | |
| - 'components/frontend/**' | |
| backend: | |
| - 'components/backend/**' | |
| operator: | |
| - 'components/operator/**' | |
| claude-runner: | |
| - 'components/runners/ambient-runner/**' | |
| state-sync: | |
| - 'components/runners/state-sync/**' | |
| public-api: | |
| - 'components/public-api/**' | |
| ambient-api-server: | |
| - 'components/ambient-api-server/**' | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| needs: detect-changes | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| issues: read | |
| id-token: write | |
| strategy: | |
| matrix: | |
| component: | |
| - name: frontend | |
| context: ./components/frontend | |
| image: quay.io/ambient_code/vteam_frontend | |
| dockerfile: ./components/frontend/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.frontend }} | |
| - name: backend | |
| context: ./components/backend | |
| image: quay.io/ambient_code/vteam_backend | |
| dockerfile: ./components/backend/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.backend }} | |
| - name: operator | |
| context: ./components/operator | |
| image: quay.io/ambient_code/vteam_operator | |
| dockerfile: ./components/operator/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.operator }} | |
| - name: ambient-runner | |
| context: ./components/runners | |
| image: quay.io/ambient_code/vteam_claude_runner | |
| dockerfile: ./components/runners/ambient-runner/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.claude-runner }} | |
| - name: state-sync | |
| context: ./components/runners/state-sync | |
| image: quay.io/ambient_code/vteam_state_sync | |
| dockerfile: ./components/runners/state-sync/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.state-sync }} | |
| - name: public-api | |
| context: ./components/public-api | |
| image: quay.io/ambient_code/vteam_public_api | |
| dockerfile: ./components/public-api/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.public-api }} | |
| - name: ambient-api-server | |
| context: ./components/ambient-api-server | |
| image: quay.io/ambient_code/vteam_api_server | |
| dockerfile: ./components/ambient-api-server/Dockerfile | |
| changed: ${{ needs.detect-changes.outputs.ambient-api-server }} | |
| steps: | |
| - name: Checkout code | |
| if: matrix.component.changed == 'true' || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name) || (github.event_name == 'workflow_dispatch' && github.event.inputs.components == '' && github.event.inputs.force_build_all != 'true') | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - name: Set up Docker Buildx | |
| if: matrix.component.changed == 'true' || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name) || (github.event_name == 'workflow_dispatch' && github.event.inputs.components == '' && github.event.inputs.force_build_all != 'true') | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Quay.io | |
| if: matrix.component.changed == 'true' || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name) || (github.event_name == 'workflow_dispatch' && github.event.inputs.components == '' && github.event.inputs.force_build_all != 'true') | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Log in to Red Hat Container Registry | |
| if: matrix.component.changed == 'true' || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name) || (github.event_name == 'workflow_dispatch' && github.event.inputs.components == '' && github.event.inputs.force_build_all != 'true') | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.redhat.io | |
| username: ${{ secrets.REDHAT_USERNAME }} | |
| password: ${{ secrets.REDHAT_PASSWORD }} | |
| - name: Build and push ${{ matrix.component.name }} image only for merge into main | |
| if: (matrix.component.changed == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name) || (github.event_name == 'workflow_dispatch' && github.event.inputs.components == '' && github.event.inputs.force_build_all != 'true') | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.component.context }} | |
| file: ${{ matrix.component.dockerfile }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| ${{ matrix.component.image }}:latest | |
| ${{ matrix.component.image }}:${{ github.sha }} | |
| ${{ matrix.component.image }}:stage | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build ${{ matrix.component.name }} image for pull requests but don't push | |
| if: (matrix.component.changed == 'true' || github.event.inputs.force_build_all == 'true' || contains(github.event.inputs.components, matrix.component.name)) && github.event_name == 'pull_request' | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.component.context }} | |
| file: ${{ matrix.component.dockerfile }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: false | |
| tags: ${{ matrix.component.image }}:pr-${{ github.event.pull_request.number }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| update-rbac-and-crd: | |
| runs-on: ubuntu-latest | |
| needs: [detect-changes, build-and-push] | |
| if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install oc | |
| uses: redhat-actions/oc-installer@v1 | |
| with: | |
| oc_version: 'latest' | |
| - name: Log in to OpenShift Cluster | |
| run: | | |
| oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify | |
| - name: Apply RBAC and CRD manifests | |
| run: | | |
| oc apply -k components/manifests/base/crds/ | |
| oc apply -k components/manifests/base/rbac/ | |
| oc apply -f components/manifests/overlays/production/operator-config-openshift.yaml -n ambient-code | |
| - name: Deploy observability stack | |
| run: | | |
| oc apply -k components/manifests/observability/ | |
| deploy-to-openshift: | |
| runs-on: ubuntu-latest | |
| needs: [detect-changes, build-and-push, update-rbac-and-crd] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.frontend == 'true' || needs.detect-changes.outputs.backend == 'true' || needs.detect-changes.outputs.operator == 'true' || needs.detect-changes.outputs.claude-runner == 'true' || needs.detect-changes.outputs.state-sync == 'true' || needs.detect-changes.outputs.public-api == 'true' || needs.detect-changes.outputs.ambient-api-server == 'true') | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install oc | |
| uses: redhat-actions/oc-installer@v1 | |
| with: | |
| oc_version: 'latest' | |
| - name: Install kustomize | |
| run: | | |
| curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash | |
| sudo mv kustomize /usr/local/bin/ | |
| kustomize version | |
| - name: Log in to OpenShift Cluster | |
| run: | | |
| oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify | |
| - name: Determine image tags | |
| id: image-tags | |
| run: | | |
| if [ "${{ needs.detect-changes.outputs.frontend }}" == "true" ]; then | |
| echo "frontend_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "frontend_tag=stage" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.backend }}" == "true" ]; then | |
| echo "backend_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "backend_tag=stage" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.operator }}" == "true" ]; then | |
| echo "operator_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "operator_tag=stage" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.claude-runner }}" == "true" ]; then | |
| echo "runner_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "runner_tag=latest" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.state-sync }}" == "true" ]; then | |
| echo "state_sync_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "state_sync_tag=latest" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.public-api }}" == "true" ]; then | |
| echo "public_api_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "public_api_tag=stage" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.ambient-api-server }}" == "true" ]; then | |
| echo "api_server_tag=${{ github.sha }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "api_server_tag=stage" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Update kustomization with image tags | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| kustomize edit set image quay.io/ambient_code/vteam_frontend:latest=quay.io/ambient_code/vteam_frontend:${{ steps.image-tags.outputs.frontend_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_backend:latest=quay.io/ambient_code/vteam_backend:${{ steps.image-tags.outputs.backend_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_operator:latest=quay.io/ambient_code/vteam_operator:${{ steps.image-tags.outputs.operator_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_claude_runner:latest=quay.io/ambient_code/vteam_claude_runner:${{ steps.image-tags.outputs.runner_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_state_sync:latest=quay.io/ambient_code/vteam_state_sync:${{ steps.image-tags.outputs.state_sync_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_public_api:latest=quay.io/ambient_code/vteam_public_api:${{ steps.image-tags.outputs.public_api_tag }} | |
| kustomize edit set image quay.io/ambient_code/vteam_api_server:latest=quay.io/ambient_code/vteam_api_server:${{ steps.image-tags.outputs.api_server_tag }} | |
| - name: Validate kustomization | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| kustomize build . > /dev/null | |
| echo "✅ Kustomization validation passed" | |
| - name: Apply production overlay with kustomize | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| oc apply -k . -n ambient-code | |
| - name: Update frontend environment variables | |
| if: needs.detect-changes.outputs.frontend == 'true' | |
| run: | | |
| oc set env deployment/frontend -n ambient-code -c frontend \ | |
| GITHUB_APP_SLUG="ambient-code-stage" \ | |
| VTEAM_VERSION="${{ github.sha }}" \ | |
| FEEDBACK_URL="https://forms.gle/7XiWrvo6No922DUz6" | |
| - name: Update operator environment variables | |
| if: needs.detect-changes.outputs.operator == 'true' || needs.detect-changes.outputs.backend == 'true' || needs.detect-changes.outputs.claude-runner == 'true' || needs.detect-changes.outputs.state-sync == 'true' | |
| run: | | |
| oc set env deployment/agentic-operator -n ambient-code -c agentic-operator \ | |
| AMBIENT_CODE_RUNNER_IMAGE="quay.io/ambient_code/vteam_claude_runner:${{ steps.image-tags.outputs.runner_tag }}" \ | |
| STATE_SYNC_IMAGE="quay.io/ambient_code/vteam_state_sync:${{ steps.image-tags.outputs.state_sync_tag }}" | |
| - name: Update agent registry ConfigMap with pinned image tags | |
| if: needs.detect-changes.outputs.claude-runner == 'true' || needs.detect-changes.outputs.state-sync == 'true' | |
| run: | | |
| # Fetch live JSON from cluster so unchanged images keep their current tag | |
| REGISTRY=$(oc get configmap ambient-agent-registry -n ambient-code \ | |
| -o jsonpath='{.data.agent-registry\.json}') | |
| # Only replace images that were actually rebuilt this run. | |
| # Pattern [@:][^"]* matches both :tag and @sha256:digest refs. | |
| if [ "${{ needs.detect-changes.outputs.claude-runner }}" == "true" ]; then | |
| REGISTRY=$(echo "$REGISTRY" | sed \ | |
| "s|quay.io/ambient_code/vteam_claude_runner[@:][^\"]*|quay.io/ambient_code/vteam_claude_runner:${{ github.sha }}|g") | |
| fi | |
| if [ "${{ needs.detect-changes.outputs.state-sync }}" == "true" ]; then | |
| REGISTRY=$(echo "$REGISTRY" | sed \ | |
| "s|quay.io/ambient_code/vteam_state_sync[@:][^\"]*|quay.io/ambient_code/vteam_state_sync:${{ github.sha }}|g") | |
| fi | |
| oc patch configmap ambient-agent-registry -n ambient-code --type=merge \ | |
| -p "{\"data\":{\"agent-registry.json\":$(echo "$REGISTRY" | jq -Rs .)}}" | |
| deploy-with-disptach: | |
| runs-on: ubuntu-latest | |
| needs: [detect-changes, build-and-push, update-rbac-and-crd] | |
| if: github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install oc | |
| uses: redhat-actions/oc-installer@v1 | |
| with: | |
| oc_version: 'latest' | |
| - name: Install kustomize | |
| run: | | |
| curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash | |
| sudo mv kustomize /usr/local/bin/ | |
| kustomize version | |
| - name: Log in to OpenShift Cluster | |
| run: | | |
| oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify | |
| - name: Update kustomization with stage image tags | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| kustomize edit set image quay.io/ambient_code/vteam_frontend:latest=quay.io/ambient_code/vteam_frontend:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_backend:latest=quay.io/ambient_code/vteam_backend:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_operator:latest=quay.io/ambient_code/vteam_operator:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_claude_runner:latest=quay.io/ambient_code/vteam_claude_runner:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_state_sync:latest=quay.io/ambient_code/vteam_state_sync:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_public_api:latest=quay.io/ambient_code/vteam_public_api:stage | |
| kustomize edit set image quay.io/ambient_code/vteam_api_server:latest=quay.io/ambient_code/vteam_api_server:stage | |
| - name: Validate kustomization | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| kustomize build . > /dev/null | |
| echo "✅ Kustomization validation passed" | |
| - name: Apply production overlay with kustomize | |
| working-directory: components/manifests/overlays/production | |
| run: | | |
| oc apply -k . -n ambient-code | |
| - name: Update frontend environment variables | |
| run: | | |
| oc set env deployment/frontend -n ambient-code -c frontend \ | |
| GITHUB_APP_SLUG="ambient-code-stage" \ | |
| VTEAM_VERSION="${{ github.sha }}" \ | |
| FEEDBACK_URL="https://forms.gle/7XiWrvo6No922DUz6" | |
| - name: Update operator environment variables | |
| run: | | |
| oc set env deployment/agentic-operator -n ambient-code -c agentic-operator \ | |
| AMBIENT_CODE_RUNNER_IMAGE="quay.io/ambient_code/vteam_claude_runner:${{ github.sha }}" \ | |
| STATE_SYNC_IMAGE="quay.io/ambient_code/vteam_state_sync:${{ github.sha }}" | |
| - name: Update agent registry ConfigMap with pinned image tags | |
| run: | | |
| REGISTRY=$(oc get configmap ambient-agent-registry -n ambient-code \ | |
| -o jsonpath='{.data.agent-registry\.json}') | |
| REGISTRY=$(echo "$REGISTRY" | sed \ | |
| -e "s|quay.io/ambient_code/vteam_claude_runner[@:][^\"]*|quay.io/ambient_code/vteam_claude_runner:${{ github.sha }}|g" \ | |
| -e "s|quay.io/ambient_code/vteam_state_sync[@:][^\"]*|quay.io/ambient_code/vteam_state_sync:${{ github.sha }}|g") | |
| oc patch configmap ambient-agent-registry -n ambient-code --type=merge \ | |
| -p "{\"data\":{\"agent-registry.json\":$(echo "$REGISTRY" | jq -Rs .)}}" |