will.anderson/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: will.anderson/infrastructure:main
Branches Tags
will.anderson/infrastructure:main will.anderson/infrastructure:fix/remove-duplicate-runner-deployment will.anderson/infrastructure:fix/marketing-hpa-min-replicas will.anderson/infrastructure:feature/runner-public-url-cf-access will.anderson/infrastructure:fix/dharma-network-policy will.anderson/infrastructure:feature/runner-cf-access-service-token will.anderson/infrastructure:revert/runner-url will.anderson/infrastructure:fix/gitea-runner-public-url will.anderson/infrastructure:fix/dharma-prod-502 will.anderson/infrastructure:feature/dharma-pinned-image-tag
...
pull from: will.anderson/infrastructure:feature/dharma-pinned-image-tag
Branches Tags
will.anderson/infrastructure:main will.anderson/infrastructure:fix/remove-duplicate-runner-deployment will.anderson/infrastructure:fix/marketing-hpa-min-replicas will.anderson/infrastructure:feature/runner-public-url-cf-access will.anderson/infrastructure:fix/dharma-network-policy will.anderson/infrastructure:feature/runner-cf-access-service-token will.anderson/infrastructure:revert/runner-url will.anderson/infrastructure:fix/gitea-runner-public-url will.anderson/infrastructure:fix/dharma-prod-502 will.anderson/infrastructure:feature/dharma-pinned-image-tag

1 Commits
main ... feature/dharma-pinned-image-tag

Author SHA1 Message Date
Will Anderson 24c2b056ab dharma: pin deployment image to SHA tag (placeholder) 
Replaces `:latest` + `imagePullPolicy: Always` with a content-
addressable SHA tag produced by the dharma-el ci-prod workflow. The
deployed image is now deterministic and rollback is `git revert` of
this file.

`PINNED_BY_NEXT_BUILD` is a deliberate placeholder — Argo CD will fail
to reconcile (ImagePullBackOff) until a human replaces it with a real
short SHA. That failure is the forcing function: prod only gets a new
image via a PR that names a real, built tag.

This PR is opened as a draft. Do not merge until:
  1. dharma-el#1 (feature/ci-prod-image-build) is merged
  2. Dharma CI — prod runs on main and produces a SHA-tagged image
  3. The placeholder here is replaced with that SHA

`imagePullPolicy: Always` is left in place for now — redundant once
we're on SHA tags but removing it in the same PR adds risk. Drop it
in a follow-up.
 2026-05-04 15:26:36 -05:00
1 changed files with 13 additions and 2 deletions
Expand all files Collapse all files
servers/legion/k8s/neuron-technologies/dharma/deployment.yaml
+13 -2
View File
@@ -25,8 +25,19 @@ spec:
type: RuntimeDefault
containers:
- name: dharma
image: registry.neuralplatform.ai/neuron-technologies/dharma:latest
imagePullPolicy: Always
# Pinned to a content-addressable SHA tag instead of :latest so the
# deployed image is deterministic and rollback is `git revert`. The
# tag is produced by the dharma-el ci-prod.yaml workflow on every
# push to main: registry.neuralplatform.ai/neuron-technologies/
# dharma:<short-sha>.
#
# PINNED_BY_NEXT_BUILD is a deliberate placeholder. It will fail to
# pull (ImagePullBackOff) until a human replaces it with a real
# short SHA from a successful ci-prod run. That failure is the
# forcing function: the only way prod gets a new image is by
# opening a PR that names a real, built tag.
image: registry.neuralplatform.ai/neuron-technologies/dharma:PINNED_BY_NEXT_BUILD
imagePullPolicy: Always # redundant once on SHA tags; remove in a follow-up
ports:
- name: http
containerPort: 8765