Fix race condition in scheduled workflow by locking to commit hash (#293)

Savid · web-flow · commit 88329bc49481 · 2025-09-30T09:17:10.000+02:00
The scheduled workflow had a race condition where:
1. Check job fetches commit hash for a branch
2. Verifies no image exists for that hash
3. Triggers build with branch name (not hash)
4. Deploy checks out branch, which may have moved
5. Image tagged with old hash contains new code

Solution:
- Pass commit hash from check job through to deploy action
- Use commit hash for checkout when provided (scheduled builds)
- Fallback to branch name when not provided (manual builds)
- Fully backward compatible with existing workflows

Changes:
- scheduled.yml: Include source_commit in config output
- deploy.yml: Add optional source_commit input parameter
- deploy/action.yml: Use source_commit || source_ref for checkout
diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml
@@ -10,6 +10,10 @@ inputs:
     description: The branch, tag or SHA to checkout and build from
     type: string
     required: true
+  source_commit:
+    description: The specific commit SHA to checkout (takes precedence over source_ref)
+    type: string
+    required: false
   build_script:
     description: The bash script path in this repository to run instead of the Docker build & push script. You must push the image yourself.
     type: string
@@ -77,7 +81,7 @@ runs:
     with:
       repository: ${{ inputs.source_repository }}
       path: source
-      ref: ${{ inputs.source_ref }}
+      ref: ${{ inputs.source_commit || inputs.source_ref }}
       fetch-depth: 0
   - name: get short git commit hash
     id: git_commit_hash
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -9,6 +9,10 @@ on:
         description: The branch, tag or SHA to checkout and build from
         type: string
         required: true
+      source_commit:
+        description: The specific commit SHA to checkout (takes precedence over source_ref)
+        type: string
+        required: false
       build_script:
         description: The bash script path in this repository to run instead of the Docker build & push script. You must push the image yourself.
         type: string
@@ -82,6 +86,7 @@ jobs:
       with:
         source_repository: ${{ inputs.source_repository }}
         source_ref: ${{ inputs.source_ref }}
+        source_commit: ${{ inputs.source_commit }}
         build_script: ${{ inputs.build_script }}
         build_args: ${{ inputs.build_args }}
         target_tag: ${{ inputs.target_tag }}-${{ matrix.config.slug }}
diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml
@@ -64,7 +64,8 @@ jobs:
               local RESPONSE=$(curl -s -H "Accept: application/vnd.github+json" \
                   -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
                   "https://api.github.com/repos/${SOURCE_REPOSITORY}/commits/${SOURCE_REF}?per_page=1")
-              local COMMIT_HASH=$(echo "$RESPONSE" | jq -r '.sha' | cut -c1-7)
+              local COMMIT_HASH_FULL=$(echo "$RESPONSE" | jq -r '.sha')
+              local COMMIT_HASH=$(echo "$COMMIT_HASH_FULL" | cut -c1-7)
 
               if [[ -z "$COMMIT_HASH" || "$COMMIT_HASH" == "null" ]]; then
                   # Log error but don't exit; just skip this configuration
@@ -75,7 +76,7 @@ jobs:
               local configOutput="${TEMP_DIR}/${LINE}_commits.json"
               touch $configOutput
 
-              echo "{\"line\": \"$LINE\", \"commit_hash\": \"$COMMIT_HASH\"}," >> $configOutput
+              echo "{\"line\": \"$LINE\", \"commit_hash\": \"$COMMIT_HASH\", \"commit_hash_full\": \"$COMMIT_HASH_FULL\"}," >> $configOutput
           }
 
           process_image() {
@@ -147,6 +148,7 @@ jobs:
           while IFS=$'\t' read -r LINE SOURCE_REPOSITORY SOURCE_REF TARGET_REPOSITORY TARGET_TAG; do
               # get the image commit hash from LINE
               COMMIT_HASH=$(echo "$COMMITS" | jq -r --arg LINE "$LINE" '.[] | select(.line == $LINE) | .commit_hash')
+              COMMIT_HASH_FULL=$(echo "$COMMITS" | jq -r --arg LINE "$LINE" '.[] | select(.line == $LINE) | .commit_hash_full')
               IMAGE_TAG="${TARGET_TAG}-${COMMIT_HASH}"
               IMAGE="${TARGET_REPOSITORY}:${IMAGE_TAG}"
               CLIENT="${TARGET_REPOSITORY#*/}"
@@ -165,7 +167,7 @@ jobs:
                 # convert to string
                 platformsOutput="{\"platforms\": \"[$platformsArr]\"}"
 
-                CONFIGS+=$(echo "$(yq -r -o=json ".[${LINE}]" "$CONFIG_FILE" | jq --argjson plat "$platformsOutput" '. + $plat'),")
+                CONFIGS+=$(echo "$(yq -r -o=json ".[${LINE}]" "$CONFIG_FILE" | jq --argjson plat "$platformsOutput" --arg commit "$COMMIT_HASH_FULL" '. + $plat + {source_commit: $commit}'),")
               fi
           done < <(yq -r 'to_entries | map_values({"value":.value, "index":.key}) | .[] | [.index, .value.source.repository, .value.source.ref, .value.target.repository, .value.target.tag] | @tsv' "$CONFIG_FILE")
 
@@ -187,6 +189,7 @@ jobs:
     with:
       source_repository: ${{ matrix.config.source.repository }}
       source_ref: ${{ matrix.config.source.ref }}
+      source_commit: ${{ matrix.config.source_commit }}
       build_script: ${{ matrix.config.build_script }}
       build_args: "${{ matrix.config.build_args }}"
       target_tag: ${{ matrix.config.target.tag }}
