feat(upgrade): changelog + impact table + confirm + pre-flight (additive; supersedes #457)#479
Merged
Merged
Conversation
…t (additive, #457) Re-lands the additive, non-conflicting parts of the stale PR #457 on top of the current v0.1.21 hardened `kars upgrade` flow — WITHOUT touching the repaired write path (image import → atomic Helm upgrade → mesh-first rolling restart → health-gated success → --atomic/rollback is byte-for-byte unchanged). New, all read-only: - Changelog summary before the confirm: annotated tag messages for the releases between current and target (fetchRecentReleases/releasesBetween/fetchTagMessage + summarizeChangelog). - Impact table: reads the live cluster and lists the controller + sandboxes that will be rolling-restarted, with readiness and running image. - Y/N confirmation before any write; auto-proceeds under --yes or non-TTY stdin (existing automation unaffected). - Pre-flight node-readiness gate: hard-blocks (no changes) only when EVERY node is NotReady, where the upgrade would otherwise time out + roll back. - Version-detection fallback: when the controller runs :latest with no karsRelease stamp, match the running image digest to published release digests to recover the real "Current:" version. Inserted ONLY as a new fallback step — never overrides the existing image-tag or stamped-value detection. Supersedes #457 (which was branched at v0.1.18, before the #473 upgrade repair, and is now CONFLICTING; merging it directly would revert the repair). This brings in just its net-new features rebased on current main, with the security-audit doc in the tracked docs/security-audits/ folder. Tests: release.test.ts +6 (releasesBetween x3, summarizeChangelog x3). CLI typecheck + oxlint (0 errors) + build clean; vitest 888 pass / 2 skipped. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings in the valuable features from the stale #457 without breaking anything in the current (v0.1.21) upgrade flow.
Why not just merge #457?
#457 was branched at v0.1.18 — before the #473 upgrade repair (rollback, value preservation, health gating, honest version detection — the fix that recovered the colleague's cluster). It's now
CONFLICTING, and resolving in its favour would revert the repair. So this PR re-lands only its net-new, non-conflicting features, rebased on current main.What's added — all read-only, write path untouched
--yesor a non-TTY stdin (existing automation unaffected).:latestwith nokarsReleasestamp, match the running image digest to published release digests to recover the real "Current:" version. Inserted only as a new fallback — never overrides the existing image-tag / stamped-value detection.Safety
The mutating sequence (
az acr import→helm upgrade --atomic→ mesh-first rolling restart → health-gated success → rollback) is byte-for-byte unchanged — verified the diff touches only comments there. Every new call is best-effort and never throws. A human confirm + pre-flight now sit in front of the unchanged, already-hardened write path.Tests
release.test.ts+6 (releasesBetween×3,summarizeChangelog×3). CLI typecheck + oxlint (0 errors) + build clean; vitest 888 pass / 2 skipped. All 7 ci-gates pass locally.Closes #457.