TBD-A69. PR #2005 fixed build-organization-controller.yaml only. The
other six controller workflows (application, blueprint, continuum,
environment, sandbox, useraccess) had the same gaps that caused the
#1997 18h deploy gap:
- application-controller: missing pkg/** in path filter (auto-bump
already present from earlier work).
- blueprint, continuum, environment, useraccess: missing BOTH pkg/**
path filter AND auto-bump pipeline (permissions promotion +
values.yaml bump + commit/push + blueprint-release dispatch).
- sandbox: already complete (pkg/** + auto-bump to platform/sandbox
chart) — left untouched.
Each updated workflow inherits the canonical shape from
build-organization-controller.yaml (PR #2005):
1. `core/controllers/pkg/**` added to BOTH push.paths and
pull_request.paths. Without this, a fix that only touches the
shared HTTP-client tree (gitea/keycloak/kc-mappers) silently
fails to rebuild the controller image.
2. `permissions.contents: write` + `actions: write` so the build
job can push the values.yaml bump and dispatch the downstream
chart re-publish.
3. An awk-scoped `Bump controllers.<who>.image.tag in values.yaml`
step that updates ONLY the targeted controller's tag (verified
locally — sibling tags remain untouched).
4. A commit/push step that bumps
products/catalyst/chart/values.yaml (or
products/continuum/chart/values.yaml for continuum, which has
its own chart).
5. A `gh workflow run blueprint-release.yaml` dispatch so the
bot-pushed commit fires the downstream chart re-publish
(GitHub Actions silently filters bot pushes from path-trigger
workflows otherwise).
Adds two new files to lock the shape in:
- `scripts/check-controller-workflow-uniformity.sh` — a CI
regression test that grep-asserts every controller workflow has
the canonical pkg/** filter + auto-bump pipeline. Fails loudly
if any new controller workflow ships without the canonical shape,
or if an existing one regresses.
- `.github/workflows/check-controller-workflow-uniformity.yaml` —
push-on-touch + pull_request-on-touch event-driven wrapper that
runs the script. Mirrors the shape of check-vendor-coupling.yaml.
Verified locally:
- YAML syntax valid for all 7 controller workflows + the new check
workflow.
- Regression script passes on all 7 controller workflows.
- Simulated awk bumps against products/catalyst/chart/values.yaml
and products/continuum/chart/values.yaml — each script bumps
ONLY the targeted controller's tag, sibling tags untouched.
No chart bumps. No Go/chart changes. CI-workflow-only.
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
e72efb87cd