Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions .github/workflows/deploy-azure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,18 @@ jobs:
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

- name: Set up Node
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
with:
node-version: "24"
cache: pnpm

- name: Enable Corepack
run: corepack enable

- name: Install smoke dependencies
run: pnpm install --frozen-lockfile

- name: Install OpenTofu
uses: opentofu/setup-opentofu@847eaa4afeb791b06daa46e8eafa8b1b68d7cfb4 # v2.0.1

Expand Down Expand Up @@ -141,6 +153,7 @@ jobs:

{
echo "resource_group_name=$(tofu output -raw resource_group_name)"
echo "app_endpoint=$(tofu output -raw app_endpoint)"
echo "app_container_app_name=$(tofu output -raw app_container_app_name)"
echo "worker_container_app_name=$(tofu output -raw worker_container_app_name)"
echo "migration_job_name=$(tofu output -raw migration_job_name)"
Expand Down Expand Up @@ -251,6 +264,41 @@ jobs:
echo "worker_revision=$worker_revision"
} >> "$GITHUB_OUTPUT"

- name: Smoke verify deployment
id: smoke
if: ${{ steps.promote-app-worker.outcome == 'success' }}
shell: bash
env:
TARGET_ENVIRONMENT: ${{ inputs.environment }}
APP_ENDPOINT: ${{ steps.provision.outputs.app_endpoint }}
RESOURCE_GROUP: ${{ steps.provision.outputs.resource_group_name }}
APP_CONTAINER_APP_NAME: ${{ steps.provision.outputs.app_container_app_name }}
WORKER_CONTAINER_APP_NAME: ${{ steps.provision.outputs.worker_container_app_name }}
MIGRATION_JOB_NAME: ${{ steps.provision.outputs.migration_job_name }}
MIGRATION_EXECUTION: ${{ steps.migrate.outputs.migration_execution }}
run: |
set +e
output="$(pnpm run smoke:azure -- \
--environment "$TARGET_ENVIRONMENT" \
--app-endpoint "$APP_ENDPOINT" \
--resource-group "$RESOURCE_GROUP" \
--app-name "$APP_CONTAINER_APP_NAME" \
--worker-name "$WORKER_CONTAINER_APP_NAME" \
--migration-job-name "$MIGRATION_JOB_NAME" \
--migration-execution "$MIGRATION_EXECUTION" 2>&1)"
status=$?
set -e

printf '%s\n' "$output"
{
echo "### Azure deployment smoke"
echo
echo '```text'
printf '%s\n' "$output"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
exit "$status"

- name: Report deployment
id: report
if: ${{ always() }}
Expand All @@ -261,6 +309,7 @@ jobs:
MIGRATION_EXECUTION: ${{ steps.migrate.outputs.migration_execution || 'n/a' }}
APP_REVISION: ${{ steps.promote-app-worker.outputs.app_revision || 'not-promoted' }}
WORKER_REVISION: ${{ steps.promote-app-worker.outputs.worker_revision || 'not-promoted' }}
SMOKE_RESULT: ${{ steps.smoke.outcome || 'not-run' }}
run: |
{
echo "### Azure deployment"
Expand All @@ -270,4 +319,5 @@ jobs:
echo "- Migration execution: $MIGRATION_EXECUTION"
echo "- App revision: $APP_REVISION"
echo "- Worker revision: $WORKER_REVISION"
echo "- Smoke result: $SMOKE_RESULT"
} >> "$GITHUB_STEP_SUMMARY"
2 changes: 1 addition & 1 deletion .specify/feature.json
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
{
"feature_directory": "specs/019-logging-standardization"
"feature_directory": "specs/020-deploy-smoke-verification"
}
9 changes: 6 additions & 3 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# webapp-template Development Guidelines

Auto-generated from all feature plans. Last updated: 2026-06-10
Auto-generated from all feature plans. Last updated: 2026-06-11

## Workflow First Step

Expand All @@ -10,6 +10,9 @@ Auto-generated from all feature plans. Last updated: 2026-06-10

## Active Technologies

- TypeScript 5.9 on Node.js via the existing `tsx` dev dependency + Node built-ins, existing `tsx`, Azure CLI available in deployment runners (020-deploy-smoke-verification)
- No new storage; smoke evidence remains command output and GitHub step summary (020-deploy-smoke-verification)

- TypeScript 5.9 on Next.js 16 App Router with React 19; Python 3.12 worker; PowerShell/Node validation scripts + Existing `src/lib/logger.ts`, `src/proxy.ts`, `src/instrumentation.ts`, Prisma-backed services, Python stdlib `logging`/`json`, Vitest, Playwright, existing validation scripts (019-logging-standardization)
- No new storage; operational logs remain process output; audit records remain Prisma-backed and separate (019-logging-standardization)

Expand Down Expand Up @@ -38,11 +41,11 @@ TypeScript 5.9 on Next.js 16 App Router (React 19): Follow standard conventions

## Recent Changes

- 020-deploy-smoke-verification: Added TypeScript 5.9 on Node.js via the existing `tsx` dev dependency + Node built-ins, existing `tsx`, Azure CLI available in deployment runners

- 019-logging-standardization: Added TypeScript 5.9 on Next.js 16 App Router with React 19; Python 3.12 worker; PowerShell/Node validation scripts + Existing `src/lib/logger.ts`, `src/proxy.ts`, `src/instrumentation.ts`, Prisma-backed services, Python stdlib `logging`/`json`, Vitest, Playwright, existing validation scripts

- 017-deepsec-remediation: Added TypeScript 5.9 on Next.js 16 App Router, React 19, Python 3.12 worker where affected, PowerShell validation scripts + Prisma 7, Better Auth, Zod, Vitest, Playwright, GitHub Actions, GoReleaser, DeepSec 2.0.12

- 011-route-refactor: Added TypeScript 5.9 on Next.js 16 App Router (React 19) + Next.js 16, React 19, Prisma 7, Better Auth, Zod, Vitest, Playwright, jscpd

<!-- MANUAL ADDITIONS START -->
<!-- MANUAL ADDITIONS END -->
31 changes: 21 additions & 10 deletions CONTINUE.md
Original file line number Diff line number Diff line change
@@ -1,32 +1,43 @@
# Continue

<!-- continuity:fingerprint=4376c089bd8016bcf5e4bf8720d58b0cd4bf0ab82f696a4b71865f0f10253425 -->
<!-- continuity:fingerprint=c60c207709f1635bb984a3f99c674da37d6907d780c2b1e2321a129e907e6d15 -->

## Current Snapshot

- Updated: 2026-06-11 09:27:00
- Branch: `main`
- Updated: 2026-06-11 11:06:34
- Branch: `020-deploy-smoke-verification`

## Recent Non-Continuity Commits

- 34de987 chore: record clean handoff
- 3d52264 fix: move state queue logging to dedicated resource
- 25306fd chore: refresh specs overview
- dd226de test: update opentofu action pin assertion
- 9b92cb5 ci: update opentofu setup action
- fdf3418 chore: close completed active specs

## Git Status

- M CONTINUE.md
- M CONTINUE_LOG.md
- M infra/azure/bootstrap/main.tf
- M .github/workflows/deploy-azure.yml
- M .specify/feature.json
- M ACTIVE_SPECS.md
- M AGENTS.md
- M package.json
- M specs/018-opentofu-azure-infra/quickstart.md
- M specs/OVERVIEW.md
- M tests/unit/security/deploy-workflow.test.ts
- ?? docs/azure-deploy-smoke.md
- ?? scripts/azure-deploy-smoke.ts
- ?? scripts/run-azure-deploy-smoke.mjs
- ?? specs/020-deploy-smoke-verification/
- ?? tests/integration/azure-deploy-smoke-cli.test.ts
- ?? tests/unit/azure-deploy-smoke.test.ts

## Active Specs

- None

## Next Recommended Actions

1. Commit and push the OpenTofu AzureRM v5 compatibility cleanup.
2. Confirm main validation after the cleanup commit.
3. Start the next feature/spec.
1. Commit and push `020-deploy-smoke-verification`.
2. Open a pull request for the deployment smoke verification feature.
3. Confirm GitHub Actions validation, then merge if green.
16 changes: 16 additions & 0 deletions CONTINUE_LOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -1493,3 +1493,19 @@
- OpenTofu infrastructure validation no longer emits the AzureRM queue properties deprecation warning.
- Active specs: none.
- Next focus: commit/push this maintenance cleanup and confirm main validation.

## 2026-06-11 10:53:57

- Branch snapshot refreshed for `020-deploy-smoke-verification`.
- Latest non-continuity commit: 3d52264 fix: move state queue logging to dedicated resource.
- Active specs: 018-opentofu-azure-infra, 020-deploy-smoke-verification.
- Next focus: 020-deploy-smoke-verification: T020.

## 2026-06-11 11:06:34

- Implemented spec `020-deploy-smoke-verification` on branch `020-deploy-smoke-verification`.
- Added `pnpm run smoke:azure` with a TypeScript smoke verifier for app health, migration execution, app revision health, and worker revision health.
- Wired smoke verification into `.github/workflows/deploy-azure.yml` after app/worker revision promotion and added operator documentation.
- Validation passed: focused smoke/workflow tests and `.\validate.ps1 all`.
- Active specs: none.
- Next focus: commit/push the feature branch, open a PR, and confirm GitHub Actions validation.
46 changes: 46 additions & 0 deletions docs/azure-deploy-smoke.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Azure Deploy Smoke Verification

Use the Azure deploy smoke check after a deployment to prove that the app endpoint, migration job, web revision, and worker revision are healthy.

## Prerequisites

- Azure CLI authenticated for the target subscription.
- Values from the Azure OpenTofu outputs or the deployment workflow summary.
- Project dependencies installed with `pnpm install --frozen-lockfile`.

## Local Run

```bash
cd infra/azure

pnpm --dir ../.. run smoke:azure -- \
--environment dev \
--app-endpoint "$(tofu output -raw app_endpoint)" \
--resource-group "$(tofu output -raw resource_group_name)" \
--app-name "$(tofu output -raw app_container_app_name)" \
--worker-name "$(tofu output -raw worker_container_app_name)" \
--migration-job-name "$(tofu output -raw migration_job_name)"
```

The command exits `0` only when all required checks pass. It exits `1` when a smoke check fails and `2` when configuration is missing or invalid.

## JSON Output

Use `--json` when another tool needs the smoke result.

```bash
pnpm run smoke:azure -- --json --environment dev ...
```

The JSON report includes the target environment, overall status, and one result per check. Output is sanitized before printing.

## GitHub Actions

The `Deploy Azure` workflow runs smoke verification after migration success and app/worker revision promotion. The workflow fails if smoke verification fails, and the GitHub step summary includes the sanitized smoke output.

## Troubleshooting

- `app-health` failed: open the checked `/api/health` URL, inspect database health, and check recent app logs.
- `migration` failed: inspect the named Container Apps Job execution.
- `app-revision` or `worker-revision` failed: inspect active revisions for the named Container App.
- Configuration failed: confirm the workflow variables and OpenTofu outputs match the target environment.
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
"quality:python": "node scripts/check-python-quality.mjs",
"quality:cli": "node scripts/check-cli-quality.mjs",
"logging:guard": "node scripts/check-logging-guard.mjs",
"smoke:azure": "node scripts/run-azure-deploy-smoke.mjs",
"supply-chain:audit": "pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/supply-chain-audit.ps1",
"validate:runtime-credentials": "pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/validate-runtime-credentials.ps1 -SelfTest",
"worker:lint": "cd worker && uv run ruff check src tests",
Expand Down
Loading