fix(ci): pass TAG/REGISTRY_TOKEN into remote shell in dev deploy #737

Merged
jmiller merged 1 commits from fix/deploy-dev-var-expansion into dev 2026-07-05 06:15:11 +00:00
Owner

Problem

The dev deploy (custom/deploy-dev.yml) has never succeeded — every run fails at the Docker build with:

ERROR: failed to build: invalid tag "git.mokoconsulting.tech/mokoconsulting/mokogitea:": invalid reference format

This blocked the runtime-validation gate for the org-governance release (#733): the migrations and server boot never got exercised because the image never built.

Root cause

The build/deploy step used an unquoted SSH heredoc (<<DEPLOY_EOF) and referenced runner-side values as \$TAG / \$REGISTRY_TOKEN. The backslash defers expansion to the remote shell — but those variables only exist on the runner (the step's env:). On the remote side they're unset, so the tag collapsed to mokogitea: (empty) → invalid reference format. REGISTRY_TOKEN had the same defect (remote docker login would have received the literal string $REGISTRY_TOKEN), and HEALTH_FMT was defined on the runner but referenced remotely.

This was not caused by the org-governance code — that compiles and vets clean locally (go build ./... clean, go vet clean on 380 packages).

Fix

  • Inject the two runner-side values as an env prefix on the ssh command: TAG='...' REGISTRY_TOKEN='...' bash -s.
  • Switch to a quoted heredoc (<<'DEPLOY_EOF') so every $var in the script expands in exactly one place — the remote host. Removes the fragile local/remote expansion mix that caused the bug.
  • Move HEALTH_FMT into the remote script body.
  • Add an explicit empty-TAG guard so any future regression fails loudly with a clear message instead of building an untagged image.

Actions ${{ env.* }} expressions are unaffected (templated before bash runs, independent of heredoc quoting).

Validation

  • YAML parses cleanly; no trailing whitespace.
  • Once merged to dev, the push auto-triggers deploy-dev.yml — this is the real runtime gate for #733 (image builds, migrations 362–366 apply, container reports healthy).

https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT

## Problem The dev deploy (`custom/deploy-dev.yml`) has **never succeeded** — every run fails at the Docker build with: ``` ERROR: failed to build: invalid tag "git.mokoconsulting.tech/mokoconsulting/mokogitea:": invalid reference format ``` This blocked the runtime-validation gate for the org-governance release (#733): the migrations and server boot never got exercised because the image never built. ### Root cause The build/deploy step used an **unquoted** SSH heredoc (`<<DEPLOY_EOF`) and referenced runner-side values as `\$TAG` / `\$REGISTRY_TOKEN`. The backslash *defers* expansion to the **remote** shell — but those variables only exist on the runner (the step's `env:`). On the remote side they're unset, so the tag collapsed to `mokogitea:` (empty) → invalid reference format. `REGISTRY_TOKEN` had the same defect (remote `docker login` would have received the literal string `$REGISTRY_TOKEN`), and `HEALTH_FMT` was defined on the runner but referenced remotely. This was **not** caused by the org-governance code — that compiles and vets clean locally (`go build ./...` clean, `go vet` clean on 380 packages). ## Fix - Inject the two runner-side values as an **env prefix on the ssh command**: `TAG='...' REGISTRY_TOKEN='...' bash -s`. - Switch to a **quoted** heredoc (`<<'DEPLOY_EOF'`) so every `$var` in the script expands in exactly one place — the remote host. Removes the fragile local/remote expansion mix that caused the bug. - Move `HEALTH_FMT` into the remote script body. - Add an explicit **empty-TAG guard** so any future regression fails loudly with a clear message instead of building an untagged image. Actions `${{ env.* }}` expressions are unaffected (templated before bash runs, independent of heredoc quoting). ## Validation - YAML parses cleanly; no trailing whitespace. - Once merged to `dev`, the push auto-triggers `deploy-dev.yml` — this is the real runtime gate for #733 (image builds, migrations 362–366 apply, container reports healthy). https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
jmiller added 1 commit 2026-07-05 06:09:04 +00:00
fix(ci): pass TAG/REGISTRY_TOKEN into remote shell in dev deploy
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Generic: Project CI / Lint & Validate (pull_request) Successful in 37s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 1m7s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m12s
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 1s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
3917bf6a29
The dev deploy step used an unquoted SSH heredoc and referenced
runner-side values as \$TAG / \$REGISTRY_TOKEN, deferring their
expansion to the remote shell where those names are unset. The
Docker build tag collapsed to "mokogitea:" and every dev deploy
failed with `invalid tag ... invalid reference format` before any
migration or server boot could run.

Inject TAG and REGISTRY_TOKEN as an env prefix on the ssh command
(`TAG='...' REGISTRY_TOKEN='...' bash -s`) and switch to a quoted
heredoc so every $var expands in exactly one place: the remote host.
Also fixes HEALTH_FMT (was defined on the runner but referenced
remotely) and adds an explicit empty-TAG guard so a future
regression fails loudly instead of building an untagged image.

Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
jmiller merged commit 2713c49aec into dev 2026-07-05 06:15:11 +00:00
jmiller deleted branch fix/deploy-dev-var-expansion 2026-07-05 06:15:12 +00:00
Sign in to join this conversation.