feat(ci): post-deploy verification for managed and enterprise orgs#1672
Open
joelorzet wants to merge 7 commits into
Open
feat(ci): post-deploy verification for managed and enterprise orgs#1672joelorzet wants to merge 7 commits into
joelorzet wants to merge 7 commits into
Conversation
A separate pipeline that runs after the entire prod CI Pipeline finishes green (workflow_run) and confirms managed and enterprise organizations are executing workflows correctly on the just-shipped build. - new HMAC-authed internal endpoint reads recent execution outcomes for the managed slugs plus enterprise-plan orgs and flags error-rate regressions - runs in-cluster (internal routes are WAF-blocked on the public host), signing like digest-cron.sh and curling the in-pod service URL - per-org detail goes to internal observability only; public CI logs and the chat alert carry aggregate counts so customer data is not exposed - extract the managed-client slug list into a shared dependency-free module
…ardcoded slugs Replace the hardcoded managed-client slug list with getManagedOrgSlugs(), parsed from MANAGED_ORGS_CONFIG (a JSON dict injected at deploy from Parameter Store). This keeps client identities out of the public source; the metrics scraper and the post-deploy verification route now read the same env-sourced list. Empty/unset config yields no managed cohort (bounded gauge, safe default). Also scrub the remaining client names from the backfill script, unit-test fixtures, and code comments.
Replace the Discord notification with server-side PagerDuty paging: each flagged managed/enterprise org pages its own service via a per-client routing key (env sourced), deduped to one incident per org per deploy. Slugs and routing keys never enter the CI job. Add "no executions in the window" detection (P2) concluded on the loop's final poll, alongside system_error (P2) and user-error-rate (P3). The workflow passes final/deployId and now only fails the job red on problems; PagerDuty does the paging.
…meter Store Add MANAGED_ORGS_CONFIG + DEFAULT_PAGERDUTY_ROUTING_KEY to the app env and MANAGED_ORGS_CONFIG to the metrics-collector env in the keeperhub-stack values (prod + staging). Runtime env only -- no Docker build arg needed since these are not NEXT_PUBLIC and are read at request time.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A separate pipeline that runs after the whole prod CI Pipeline finishes green and verifies that managed and enterprise organizations are executing workflows correctly on the just-shipped build. If an org regresses, it pages that client's own PagerDuty service. Client identities are sourced from AWS Parameter Store, not hardcoded in this (public) repo.
How it works
workflow_runon the "CI Pipeline" workflow completing with conclusion success on prod. It fires only once the whole run (build, e2e, deploy, release, docs-sync) is green, not after any single step.deploy/scripts/digest-cron.shand curls the in-pod service URL, polling once a minute for at most 5 minutes and stopping early on the first flagged org.GET /api/internal/post-deploy-verificationresolves the cohort (managed slugs plus any enterprise-plan org) gated to orgs with a schedule due in the window, then flags an org that has no executions, anysystem_error, or an error rate over the threshold.Monitoring window
Polls every minute for 5 minutes, anchored at the check start so only executions on the new build count. This was confirmed sufficient for the current managed clients given their execution cadence. The window and thresholds are query-param overridable from the workflow, so tuning does not need a code change.
Managed-client identities (Parameter Store, single source of truth)
MANAGED_ORGS_CONFIG(a JSON dict{"<slug>":{"pagerdutyRoutingKey":"..."}}) is injected at deploy from Parameter Store and read by both the metrics scraper (managed-client error gauge) and the verification route. Empty/unset yields no managed cohort (bounded gauge, safe default).Alerting (PagerDuty, per client)
DEFAULT_PAGERDUTY_ROUTING_KEYfor enterprise orgs without a dedicated service), deduped to one incident per org per deploy. Slugs and routing keys never enter the CI job.system_errorare P2; a user-error-rate spike is P3. "No executions" is concluded on the loop's final poll.Data exposure
This repository is public, so Actions logs are world readable. The pipeline surfaces only aggregate counts. Per-org slugs, names, and sample error text are written to internal observability and PagerDuty only, never to CI logs.
Deploy notes
NEXT_PUBLIC), so no Docker build arg is needed. Added to the keeperhub-stack values (prod + staging):MANAGED_ORGS_CONFIG+DEFAULT_PAGERDUTY_ROUTING_KEYon the app, andMANAGED_ORGS_CONFIGon the metrics-collector. The legacy standalone values underdeploy/keeperhub/anddeploy/metrics-collector/are not used by the stack deploy and were left untouched.managed-orgsanddefault-pagerduty-routing-keyParameter Store entries per env, and confirm the app/metrics IRSA SSM policy covers the path prefix. The pipeline needs no new AWS permissions.managed_org_slugs_regexat the same Parameter Store value so the cohort has one source across app and alerting.