ci(build): consolidate rotating build workflows + publish version.php-derived tags#777
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR renames the rotating OpenEMR Docker build workflows from version-named filenames to slot-named filenames (current/next/dev) so the rotation tooling can update version pins inside the workflows without leaving misleading workflow artifacts behind. It also updates the release registry and test fixtures to reflect the new workflow paths.
Changes:
- Rename the three rotating Docker build workflows to slot-based names:
build-current.yml,build-next.yml,build-dev.yml. - Update
tools/release/versions.ymlregistryfiles:entries (and related inline comment) to reference the new workflow paths. - Update
SlotRotatorTestfixtures/expectations and mark the workflow-consolidation step as done in the release automation plan doc.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
tools/release/versions.yml |
Updates registry references from version-named workflow files to slot-named workflow files. |
tools/release/tests/SlotRotatorTest.php |
Updates test fixtures and assertions to use the new workflow filenames. |
docs/release-automation-plan.md |
Updates the plan to reference slot-named build workflows and marks build-workflow consolidation as done. |
.github/workflows/build-next.yml |
Adds/renames the next slot nightly build workflow (multi-arch via per-arch builds + manifest merge). |
.github/workflows/build-dev.yml |
Adds/renames the dev slot nightly build workflow (multi-arch via per-arch builds + manifest merge). |
.github/workflows/build-current.yml |
Adds/renames the current slot production build workflow (single job multi-arch build + push). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kojiromike
changed the title
kojiromike
force-pushed
the
consolidate-build-workflows
branch
from
884846c to
f921e18
Compare
kojiromike
commented
Jun 4, 2026
kojiromike
added a commit
that referenced
this pull request
Jun 5, 2026
## What Add `--user apache` to the **Install** step in `test-actions-core/action.yml` so `InstallerAuto.php` runs as the `apache` user instead of root. ## Why [openemr/openemr#12267](openemr/openemr#12267) added `RootCliGuard`, which aborts the installer when it runs as a root CLI (UID 0). The CI harness runs `InstallerAuto.php` via `docker compose exec`, which defaults to root in every slot, so every install-driven test slot now fails the guard. ## Approach The Install step is **shared across all slots** (7.0.4, 8.0.0, 8.1.0, 8.1.1, binary, flex). `--user apache` is portable: the `apache` user (uid 1000) and an apache-owned `openemr/` tree exist in every slot's Dockerfile. `su-exec` was **not** an option — #743 only added it to flex/8.1.1/binary, so hardcoding it would break 7.0.4/8.0.0/8.1.0 with "su-exec: not found". phpunit steps are unaffected: `interface/globals.php` skips the guard under `PHPUNIT_COMPOSER_INSTALL`, so those bootstraps stay exempt even as root. ## Validation - **8.1.1 (production path)** validated locally: patched install on a fresh DB exits 0 with no `RootCliGuard`/`RuntimeException`, writes `sqlconf.php` as `apache:apache` with `$config = 1`, web returns HTTP 302; `phpunit --testsuite unit` → 275 tests pass. - flex **prod** mode is structurally identical (baked, apache-owned) → covered by the 8.1.1 result. - flex **dev** mode relies on the already-merged #743 entrypoint, which (running as root) chowns the mounted source to apache before the `--user apache` exec — exercised by CI here. Unblocks #777, which only needs a rebase once this lands. Assisted-by: Claude Code
kojiromike
force-pushed
the
consolidate-build-workflows
branch
from
800ece4 to
2e1fa72
Compare
kojiromike
changed the title
kojiromike
force-pushed
the
consolidate-build-workflows
branch
from
2e1fa72 to
d799a33
Compare
…-derived tags
Collapse build-800/810/811.yml into a single build-openemr.yml whose
matrix is the stable slot names [current, next, dev] x platform, never
rotated. Each job resolves its version at runtime from the
docker/openemr/{current,next,dev} symlinks, so the workflow holds zero
version strings and SlotRotator only re-points the symlink.
Publish each slot's true version.php-derived tag instead of the bare
symlink dir name: current -> 8.0.0.3, next -> 8.1.0, dev -> 8.1.1-dev.
This fixes current (really the 8.0.0.3 patch release) and prevents dev
from publishing a bare :8.1.1 that would collide with the eventual real
8.1.1 release.
Supporting changes: standardize 8.0.0/Dockerfile to
ARG OPENEMR_VERSION=rel-800; update versions.yml (current.full ->
8.0.0.3, dev.full -> 8.1.1-dev); update Docker Hub overview template +
renderer test; document the derivation in release-automation-plan.md.
This is the build-workflow half of step #5 (workflow consolidation,
openemr#638 follow-on) and unblocks the release-rotation PR (openemr#760).
Assisted-by: Claude Code
kojiromike
force-pushed
the
consolidate-build-workflows
branch
from
d799a33 to
869e4c5
Compare
adunsulag
approved these changes
Jun 9, 2026
Member
|
Looks like a good automation improvement and consolidation. |
4 tasks
kojiromike
added a commit
to kojiromike/openemr-devops
that referenced
this pull request
Jun 11, 2026
Slot rotation was rewriting per-version build artifacts because the registry listed them as rotating files. Rotating current 8.0.0→8.1 rewrote the old 8.0.0 dir's rel-800→rel-810 pin and renamed the 8.0.0 dependabot entry to 8.1.0, colliding with the entry the next slot already owns. Version dirs are immutable historical artifacts (8.0.0/ builds rel-800 forever), exactly like the already-excluded 7.0.4 dir. This completes the openemr#777 migration to symlink-based slot resolution: remove the per-version Dockerfiles/READMEs and dependabot.yml from files:, and add whole-dir excludes for docker/openemr/{8.0.0,8.1.0,8.1.1} plus dependabot.yml. SlotRotator.php is unchanged — the bug was the registry model, not the rotator. Rotation now flips only the slot symlink + registry; no per-version dir or the dependabot config is ever edited. Assisted-by: Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Collapse the three version-named rotating build workflows into one slot-named matrix workflow, then make that workflow publish each slot's true OpenEMR version (derived from
version.php) instead of the bare symlink directory name.1. Consolidate to a single slot-matrix workflow
build-800.yml/build-810.yml/build-811.ymlbecome a singlebuild-openemr.ymlwhose matrix is the stable slot names[current, next, dev]× platform — never rotated. Each job resolves the slot's version at runtime from thedocker/openemr/{current,next,dev}symlinks, so the workflow holds zero version strings and rotation never rewrites it (SlotRotatorjust re-points the symlink).Docker dirs (
docker/openemr/{8.0.0,8.1.0,8.1.1}) stay version-named — they hold real per-version Dockerfiles and are honest targets.2. Publish version.php-derived tags per slot
The merge job derives each slot's published version from the OpenEMR
version.phpat the slot Dockerfile'sOPENEMR_VERSIONref, composingmajor.minor.patch[.realpatch][tag]::verrel-800rel-810masterThis fixes two bugs:
currentis really 8.0.0.3 (a genuine patch release), anddevwould otherwise publish a bare:8.1.1that collides with the eventual real 8.1.1 release.Tag set per slot:
:<float>(latest/next/dev) +:<ver>+:<ver>-<date>, plus the bare-dir tag (8.0.0/8.1.0) for current/next only (never dev) when it differs from:<ver>.Supporting changes
docker/openemr/8.0.0/DockerfiletoARG OPENEMR_VERSION=rel-800so the merge-job grep is uniform across all three slots.tools/release/versions.yml:current.full→8.0.0.3(drop vestigialpatch),dev.full→8.1.1-dev, 8.0.0 Dockerfilekinds→docker_arg_branch.docker_dir+fullmodel.docs/release-automation-plan.mddocuments the version.php derivation and per-slot tag set.This is the build-workflow half of step #5 (workflow consolidation, #638 follow-on) in
docs/release-automation-plan.md, and unblocks the release-rotation PR (#760).Test plan
composer test— 179 tests passcomposer phpcs— cleancomposer phpstan— no errorsactionlintonbuild-openemr.yml— clean (shellcheck SC2016 suppressed for the PHP one-liner, matchingbuild-release.yml)yqlint on the registry