Skip to content

feat(ansible): deploy-*.yml playbooks missing pre-flight code_source sync (only provision-fleet-roles.yml has it) #3604

Open
Open
feat(ansible): deploy-*.yml playbooks missing pre-flight code_source sync (only provision-fleet-roles.yml has it)#3604
Labels
ansibleenhancementNew feature or request
@mrveiss

Description

@mrveiss
mrveiss
opened on Apr 6, 2026

Summary

provision-fleet-roles.yml has a Play 0 pre-flight that syncs code_source from GitHub before running roles (added in #3561). This prevents stale-code deployments. However, none of the standalone deploy-*.yml playbooks have this guard. Operators frequently use standalone playbooks for targeted redeployments (e.g. deploy-slm-manager.yml, deploy-full.yml, deploy-aiml.yml) and these all run silently from whatever commit code_source happens to be at.

Scope

Playbooks confirmed missing pre-flight sync:

  • deploy-slm-manager.yml
  • deploy-full.yml
  • deploy-aiml.yml
  • deploy-backend-local.yml / deploy-backend-remote.yml
  • deploy-native-services.yml
  • deploy-base.yml
  • deploy-database.yml
  • deploy-slm-agent.yml
  • deploy-development-services.yml
  • deploy-time-sync.yml
  • deploy-service-auth.yml
  • deploy-nginx-proxy.yml

Root Cause of Discovery

During incident #3592/#3593: code_source was ~300 commits behind. The ai-stack role was missing the Python 3.12 venv fix (PR #3536). provision-fleet-roles.yml caught this and synced — but if a standalone deploy-aiml.yml had been used instead, it would have run from the same stale code with no warning.

Fix

Extract the Play 0 pre-flight into a reusable include, or copy it verbatim into the most-used deploy playbooks. The cleanest approach is a shared pre-flight tasks file:

ansible/playbooks/pre-flight/sync-code-source.yml

Then each playbook starts with:

- name: "Pre-flight: Sync code_source from GitHub"
  ansible.builtin.import_playbook: pre-flight/sync-code-source.yml

Alternatively, add Play 0 verbatim to the highest-traffic deploy playbooks: deploy-slm-manager.yml, deploy-full.yml, deploy-aiml.yml.

Acceptance Criteria

  • deploy-slm-manager.yml has pre-flight code_source sync
  • deploy-full.yml has pre-flight code_source sync
  • deploy-aiml.yml has pre-flight code_source sync
  • Remaining deploy-*.yml playbooks either have sync or have a comment explaining why they don't (e.g. local-only playbooks that don't read role files from code_source)
  • Pre-flight implementation is DRY — not copy-pasted 12 times

Metadata

Metadata

Assignees

No one assigned

    Labels

    ansibleenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions