forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 38 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add lock-aware retry to CI apply step #98

New issue
Closed
opened 2026-03-17 04:00:31 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-17 04:00:31 +00:00
Owner
Copy link

Lineage

phase-platform-17b-tf-state-governance -> Phase 17b.1 (CI Lock Recovery)

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want the CI apply step to automatically detect and recover from stale state locks
So that a crashed apply does not block all deployments on main

Context

Every merge to main triggers tofu apply. If a previous apply crashed and left a state lock, the pipeline fails and blocks ALL deployments. This happened with pipeline #80. Currently the only recovery is manual intervention: SSH into the cluster, extract the lock ID from the error output, and run tofu force-unlock. This is a DORA MTTR problem -- stale locks should be auto-recovered.

File Targets

Files the agent should modify:

  • .woodpecker.yaml -- replace the single tofu apply command in the apply step with a lock-aware retry script

Files the agent should NOT touch:

  • terraform/ -- no .tf file changes needed
  • salt/ -- no Salt changes needed

Acceptance Criteria

  • When tofu apply fails with "the state is already locked", the script extracts the lock ID, runs tofu force-unlock -force, and retries apply once
  • When tofu apply fails with any other error, the step fails normally with the original exit code
  • When tofu apply succeeds on first attempt, the step succeeds normally
  • The script is POSIX sh compatible (Alpine/BusyBox -- no bash, no grep -P, no PIPESTATUS)

Test Expectations

  • YAML validation: .woodpecker.yaml parses as valid YAML after edit
  • Shell compatibility: script uses only POSIX sh constructs (no bashisms)
  • No .tf files changed, so tofu fmt -check -recursive should still pass

Constraints

  • The apply step image is ghcr.io/opentofu/opentofu:1.9 (Alpine-based, sh not bash)
  • BusyBox grep does not support -P (Perl regex) -- use sed for extraction
  • $? after a pipe returns exit code of last command (tee), not tofu -- use subshell + temp file approach
  • Must preserve existing step structure (environment vars, when conditions, etc.)

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • pal-e-platform -- project this affects
  • phase-platform-17b-tf-state-governance -- parent phase
### Lineage `phase-platform-17b-tf-state-governance` -> Phase 17b.1 (CI Lock Recovery) ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want the CI apply step to automatically detect and recover from stale state locks So that a crashed apply does not block all deployments on main ### Context Every merge to main triggers `tofu apply`. If a previous apply crashed and left a state lock, the pipeline fails and blocks ALL deployments. This happened with pipeline #80. Currently the only recovery is manual intervention: SSH into the cluster, extract the lock ID from the error output, and run `tofu force-unlock`. This is a DORA MTTR problem -- stale locks should be auto-recovered. ### File Targets Files the agent should modify: - `.woodpecker.yaml` -- replace the single `tofu apply` command in the apply step with a lock-aware retry script Files the agent should NOT touch: - `terraform/` -- no .tf file changes needed - `salt/` -- no Salt changes needed ### Acceptance Criteria - [ ] When `tofu apply` fails with "the state is already locked", the script extracts the lock ID, runs `tofu force-unlock -force`, and retries apply once - [ ] When `tofu apply` fails with any other error, the step fails normally with the original exit code - [ ] When `tofu apply` succeeds on first attempt, the step succeeds normally - [ ] The script is POSIX sh compatible (Alpine/BusyBox -- no bash, no grep -P, no PIPESTATUS) ### Test Expectations - [ ] YAML validation: `.woodpecker.yaml` parses as valid YAML after edit - [ ] Shell compatibility: script uses only POSIX sh constructs (no bashisms) - [ ] No .tf files changed, so `tofu fmt -check -recursive` should still pass ### Constraints - The apply step image is `ghcr.io/opentofu/opentofu:1.9` (Alpine-based, sh not bash) - BusyBox grep does not support `-P` (Perl regex) -- use `sed` for extraction - `$?` after a pipe returns exit code of last command (tee), not tofu -- use subshell + temp file approach - Must preserve existing step structure (environment vars, when conditions, etc.) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `pal-e-platform` -- project this affects - `phase-platform-17b-tf-state-governance` -- parent phase
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#98
No description provided.