fix(ci): address code review findings for parallel deployments

1. postgres-cred.yaml in-place edit race: configure_external_postgres_db
   now patches a temp copy instead of editing the shared template via
   sed_inplace. Same class of bug fixed in apply_yaml_files.

2. Unquoted ${NAME_SPACE} in namespace::configure calls: quote both
   occurrences (lines 553, 721) to prevent word-splitting.

3. mktemp in helm::merge_values overwrite path: move mktemp + trap
   inside the "merge" branch so the "overwrite" path doesn't create
   and immediately discard two unused temp files.

4. Remove redundant "Waiting for parallel deployments" log::section
   that fires right before the blocking wait calls — the bookend
   sections are sufficient.

Author: gustavolira

.ci/pipelines/lib/helm.sh

@@ -39,13 +39,13 @@ helm::merge_values() {
     return 1
   fi
 
-  # Use unique temp files per invocation to support parallel deployments
-  local step_1_file step_2_file
-  step_1_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step1-XXXXXX.yaml")
-  step_2_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step2-XXXXXX.yaml")
-  trap 'rm -f "${step_1_file}" "${step_2_file}"' RETURN
-
   if [[ "$plugin_operation" == "merge" ]]; then
+    # Temp files only needed for the merge path; overwrite writes directly to final_file
+    local step_1_file step_2_file
+    step_1_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step1-XXXXXX.yaml")
+    step_2_file=$(mktemp "${TMPDIR:-/tmp}/helm-merge-step2-XXXXXX.yaml")
+    trap 'rm -f "${step_1_file}" "${step_2_file}"' RETURN
+
     # Step 1: Merge files, excluding the .global.dynamic.plugins key
     # Values from `diff_file` override those in `base_file`
     yq eval-all '

.ci/pipelines/utils.sh

@@ -281,15 +281,21 @@ configure_external_postgres_db() {
 
   # Now we can safely get the password
   POSTGRES_PASSWORD=$(oc get secret/postgress-external-db-pguser-janus-idp -n "${NAME_SPACE_POSTGRES_DB}" -o jsonpath='{.data.password}')
-  common::sed_inplace "s|POSTGRES_PASSWORD:.*|POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}|g" "${DIR}/resources/postgres-db/postgres-cred.yaml"
   POSTGRES_HOST=$(common::base64_encode "postgress-external-db-primary.$NAME_SPACE_POSTGRES_DB.svc.cluster.local")
-  common::sed_inplace "s|POSTGRES_HOST:.*|POSTGRES_HOST: ${POSTGRES_HOST}|g" "${DIR}/resources/postgres-db/postgres-cred.yaml"
+
+  # Patch a temp copy instead of editing the shared template in-place (parallel-deployment safe)
+  local pg_cred_file
+  pg_cred_file=$(mktemp "${TMPDIR:-/tmp}/postgres-cred-${project}-XXXXXX.yaml")
+  sed "s|POSTGRES_PASSWORD:.*|POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}|g;s|POSTGRES_HOST:.*|POSTGRES_HOST: ${POSTGRES_HOST}|g" \
+    "${DIR}/resources/postgres-db/postgres-cred.yaml" > "${pg_cred_file}"
 
   # Validate final configuration apply
-  if ! oc apply -f "${DIR}/resources/postgres-db/postgres-cred.yaml" --namespace="${project}"; then
+  if ! oc apply -f "${pg_cred_file}" --namespace="${project}"; then
+    rm -f "${pg_cred_file}"
     log::error "Failed to apply PostgreSQL credentials"
     return 1
   fi
+  rm -f "${pg_cred_file}"
 
   log::success "External PostgreSQL database configured successfully!"
 }
@@ -550,7 +556,7 @@ base_deployment() {
   common::require_vars "RELEASE_NAME" "TAG_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "K8S_CLUSTER_ROUTER_BASE" || return 1
   local artifacts_subdir=$1
 
-  namespace::configure ${NAME_SPACE}
+  namespace::configure "${NAME_SPACE}"
 
   deploy_redis_cache "${NAME_SPACE}"
 
@@ -680,7 +686,6 @@ _run_parallel_deployments() {
   local rbac_pid=$!
   log::info "RBAC deployment started in background (PID: ${rbac_pid})"
 
-  log::section "Waiting for parallel deployments to complete..."
   local base_rc=0 rbac_rc=0
   wait "${base_pid}" || base_rc=$?
   wait "${rbac_pid}" || rbac_rc=$?
@@ -718,7 +723,7 @@ base_deployment_osd_gcp() {
   common::require_vars "RELEASE_NAME" "TAG_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "K8S_CLUSTER_ROUTER_BASE" || return 1
   local artifacts_subdir=$1
 
-  namespace::configure ${NAME_SPACE}
+  namespace::configure "${NAME_SPACE}"
 
   deploy_redis_cache "${NAME_SPACE}"