Skip to content

Gate backend prod deploys on blessing#9203

Closed
Git-on-my-level wants to merge 3 commits into
mainfrom
codex/python-backend-prod-blessing-gate
Closed

Gate backend prod deploys on blessing#9203
Git-on-my-level wants to merge 3 commits into
mainfrom
codex/python-backend-prod-blessing-gate

Conversation

@Git-on-my-level

@Git-on-my-level Git-on-my-level commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add typed override inputs to gcp_backend.yml
  • gate only prod backend deploys on the exact python-backend blessing release
  • compute deploy image/revision identity from the checked-out ref instead of raw GITHUB_SHA
  • add a workflow policy guard so the gate stays before GCP auth/build/deploy mutations

Stack

  1. Add release blessing surface registry #9201 — Release blessing surface registry
  2. Add Python backend blessing command #9202 — Python backend blessing command
  3. Gate backend prod deploys on blessing #9203 — this PR
  4. Require backend blessing for desktop promotion #9204 — Desktop promotion requires backend blessing

Verification

  • python3 .github/scripts/check-backend-prod-promotion-policy.py
  • python3 .github/scripts/test_check_python_backend_blessing.py
  • python3 .github/scripts/test_release_blessing.py
  • YAML parse check for .github/workflows/gcp_backend.yml
  • pre-push hook passed for the full stack, including OpenAPI checks

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c20f0e12e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/gcp_backend.yml Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 2 files

Confidence score: 1/5

  • In .github/workflows/gcp_backend.yml, the prod blessing check is attached to repair-traffic instead of deploy, so the default mode: deploy path can promote to prod without validation; merging as-is creates a direct policy bypass on normal releases — move the blessing gate into the deploy job (or a shared prerequisite) before merging.
  • In .github/scripts/check-backend-prod-promotion-policy.py, the text.find()-based ordering logic can treat checks in different jobs as if they were in the same sequence, so the guard may report compliant workflows that still bypass enforcement; merging as-is leaves the protection unreliable even after workflow edits — update the parser to validate ordering within the correct job scope and add a failing test for this bypass case before merging.

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/gcp_backend.yml Outdated
Comment thread .github/scripts/check-backend-prod-promotion-policy.py
@Git-on-my-level Git-on-my-level force-pushed the codex/python-backend-bless-command branch from 85e8a15 to a614fb3 Compare July 7, 2026 07:33
@Git-on-my-level Git-on-my-level force-pushed the codex/python-backend-prod-blessing-gate branch from 6c20f0e to 70c69a7 Compare July 7, 2026 07:33
@Git-on-my-level

Copy link
Copy Markdown
Collaborator Author

Reviewed the outstanding Codex P1 review thread ("Move backend blessing validation into deploy job"). No code change was needed — the thread was left on an earlier diff and is already addressed by the current code on this branch:

  • The Validate prod Python backend blessing step runs inside the deploy job (gated on mode == 'deploy'), positioned before Google Auth, the Docker image build, and the Cloud Run deploy steps. An unblessed SHA cannot reach prod via the normal deploy path.
  • The repair-traffic job (mode == 'repair-traffic-only') contains no deploy mutations, so no blessing gate applies there by design.
  • The parallel Cubic P0 thread raising the same concern was already resolved.

Verification run locally against this branch (all passed):

  • python3 .github/scripts/check-backend-prod-promotion-policy.py — policy OK (confirms the blessing step precedes auth/build/deploy mutations)
  • python3 .github/scripts/test_check_python_backend_blessing.py — tests OK
  • python3 .github/scripts/test_release_blessing.py — tests OK
  • YAML parse check for .github/workflows/gcp_backend.yml — OK

The outdated Codex P1 thread has been resolved.

@kodjima33 kodjima33 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gate backend prod deploys on blessing — approve-only; modifies gcp_backend.yml deploy workflow, needs Nik.

Base automatically changed from codex/python-backend-bless-command to main July 7, 2026 20:54
@Git-on-my-level Git-on-my-level marked this pull request as draft July 7, 2026 20:54
@Git-on-my-level

Copy link
Copy Markdown
Collaborator Author

Will wait for existing blessing infra to bake first

@Git-on-my-level

Copy link
Copy Markdown
Collaborator Author

Superseded by #9399.

#9201/#9202 already landed on main; #9399 rebuilds only the remaining prod deploy gate + policy guard on current main (without the stale branch deletions). Closing this PR in favor of that one.

@Git-on-my-level

Copy link
Copy Markdown
Collaborator Author

Closing as superseded by #9399.

@github-actions

Copy link
Copy Markdown
Contributor

Hey @Git-on-my-level 👋

Thank you so much for taking the time to contribute to Omi! We truly appreciate you putting in the effort to submit this pull request.

After careful review, we've decided not to merge this particular PR. Please don't take this personally — we genuinely try to merge as many contributions as possible, but sometimes we have to make tough calls based on:

  • Project standards — Ensuring consistency across the codebase
  • User needs — Making sure changes align with what our users need
  • Code best practices — Maintaining code quality and maintainability
  • Project direction — Keeping aligned with our product principles and locked invariants

Before your next PR, please skim:

  • PRODUCT.md — product north star
  • Product invariants — locked rules (shared chat, memory tiers, agent control plane, integrations, brand)

If this was declined for direction or taste, maintainers should cite an invariant ID or open a proposed one — ask if that citation is missing.

Your contribution is still valuable to us, and we'd love to see you contribute again in the future! If you'd like feedback on how to improve this PR or want to discuss alternative approaches, please don't hesitate to reach out.

Thank you for being part of the Omi community!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants