From 03f85ef0a9eb08d8a4bf6803ce32dd7806a43d09 Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Mon, 11 May 2026 16:36:36 +0300 Subject: [PATCH 01/10] fix: Added changelog --- CHANGELOG.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..e69de29b From ea3d500fdb402c73255e5c22d7b57f5ba2a4ff86 Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Mon, 11 May 2026 16:46:33 +0300 Subject: [PATCH 02/10] fix: Token reference --- .github/workflows/init-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/init-release.yml b/.github/workflows/init-release.yml index f30c053c..a8a175bb 100644 --- a/.github/workflows/init-release.yml +++ b/.github/workflows/init-release.yml @@ -67,7 +67,7 @@ jobs: with: ref: ${{ steps.get_base_branch.outputs.base_branch }} fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.INFRASTRUCTURE_WORKFLOW_TOKEN }} - name: Check if release branch already exists id: check_branch From c3557efc12fcc81e7da1c972f68e9ccc3a8c0e9b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 May 2026 13:49:16 +0000 Subject: [PATCH 03/10] chore: update version to 1.9.14 --- .github/workflows/deploy-dependencies.yml | 2 +- .github/workflows/deploy-opencrvs.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy-dependencies.yml b/.github/workflows/deploy-dependencies.yml index 9fa690a3..ef3af9c0 100644 --- a/.github/workflows/deploy-dependencies.yml +++ b/.github/workflows/deploy-dependencies.yml @@ -11,7 +11,7 @@ on: options: - "" env: - DEPENDENCIES_CHART_VERSION: "v1.9.12" + DEPENDENCIES_CHART_VERSION: "1.9.14" TRAEFIK_CHART_VERSION: "39.0.0" jobs: approve: diff --git a/.github/workflows/deploy-opencrvs.yml b/.github/workflows/deploy-opencrvs.yml index 0602c341..73db9288 100644 --- a/.github/workflows/deploy-opencrvs.yml +++ b/.github/workflows/deploy-opencrvs.yml @@ -16,11 +16,11 @@ on: core-image-tag: description: "Tag of the core image" required: true - default: "v1.9.12" + default: "1.9.14" countryconfig-image-tag: description: "Tag of the countryconfig image" required: true - default: "v1.9.12" + default: "1.9.14" data-seed-enabled: description: "Data seeding during deployment" required: false @@ -36,7 +36,7 @@ on: env: # Assuming chart version matches core image tag - OPENCRVS_CHART_VERSION: "v1.9.13" + OPENCRVS_CHART_VERSION: "1.9.14" jobs: approve: environment: ${{ inputs.environment }} From e25fd06fe42ed78b3c9155af2e3ca58c2e190455 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 11 May 2026 13:49:16 +0000 Subject: [PATCH 04/10] docs: update changelog for 1.9.14 release candidate --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e69de29b..4863fd99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -0,0 +1,4 @@ +# Changelog + +## 1.9.14 Release Candidate + From 37832865c46a7b80cb36cb1d92dce75287eb8b7d Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Fri, 8 May 2026 17:08:39 +0300 Subject: [PATCH 05/10] fix: BGP rules for calico --- infrastructure/server-setup/tasks/k8s/ufw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infrastructure/server-setup/tasks/k8s/ufw.yml b/infrastructure/server-setup/tasks/k8s/ufw.yml index 1d98043a..334d1673 100644 --- a/infrastructure/server-setup/tasks/k8s/ufw.yml +++ b/infrastructure/server-setup/tasks/k8s/ufw.yml @@ -36,6 +36,8 @@ - { port: 7946, proto: "udp" } # Used by some CNIs (e.g., Flannel, Weave) - { port: 8472, proto: "udp" } # VXLAN (Flannel/Calico; verify if needed) - { port: 4789, proto: "udp" } # VXLAN (Calico; verify if needed) + - { port: 179, proto: "tcp" } # BGP (Calico) + - { port: 179, proto: "udp" } # BGP (Calico) # Expose traefik on node port # Rules are required for internet facing load balancer (if exists) - { port: 30080, proto: "tcp" } # NodePort HTTP From 9eed54a400173bcc3b31e3e148198e1cf60f0104 Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Thu, 14 May 2026 17:33:39 +0300 Subject: [PATCH 06/10] fix: added Testing outbound HTTPS connectivity instead of ping --- scripts/bootstrap/opencrvs-bootstrap.sh | 66 +++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/scripts/bootstrap/opencrvs-bootstrap.sh b/scripts/bootstrap/opencrvs-bootstrap.sh index f066df7a..63b8da33 100644 --- a/scripts/bootstrap/opencrvs-bootstrap.sh +++ b/scripts/bootstrap/opencrvs-bootstrap.sh @@ -69,12 +69,72 @@ check_ubuntu_version() { echo "Ubuntu version OK." } +curl_check_url() { + local url="$1" + local http_code + + http_code="$(curl \ + --silent \ + --location \ + --head \ + --max-time 10 \ + --output /dev/null \ + --write-out "%{http_code}" \ + "$url" || true)" + + # 000 means curl could not connect / DNS failed / TLS failed / timed out. + if [ "$http_code" = "000" ]; then + return 1 + fi + + return 0 +} check_internet() { - echo "Testing internet connectivity (ping google.com)..." - if ! ping -c 2 google.com >/dev/null 2>&1; then - abort "Internet connectivity failed (cannot reach google.com)" + local urls=( + "https://raw.githubusercontent.com/" + "https://get.helm.sh" + "https://pkgs.k8s.io" + "https://archive.ubuntu.com" + "https://changelogs.ubuntu.com" + "https://hub.docker.com" + "https://auth.docker.io" + "https://registry-1.docker.io" + "https://download.docker.com" + "https://sentry.io" + "https://fonts.gstatic.com" + "https://storage.googleapis.com" + "https://fonts.googleapis.com" + "https://github.com" + "https://acme-v02.api.letsencrypt.org" + "https://registry.npmjs.org" + "https://registry.yarnpkg.com" + "https://eu.ui-avatars.com" + ) + + local failed=0 + + echo "Testing outbound HTTPS connectivity..." + echo + + printf "%-40s %-10s\n" "URL" "STATUS" + printf "%-40s %-10s\n" "----------------------------------------" "----------" + + for url in "${urls[@]}"; do + if curl_check_url "$url"; then + printf "%-45s %-10s\n" "$url" "OK" + else + printf "%-45s %-10s\n" "$url" "FAILED" + failed=1 + fi + done + + echo + + if [ "$failed" -ne 0 ]; then + abort "Internet connectivity check failed. Some required endpoints are unreachable." fi + echo "Internet connectivity OK." } From e55d4feb2f7ce97669fcb102bbb1cfb34cada47f Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Thu, 14 May 2026 17:35:27 +0300 Subject: [PATCH 07/10] fix: Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4863fd99..2b9ba6d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,3 +2,6 @@ ## 1.9.14 Release Candidate +### Fixes + +- Improved internet connectivity checks by replacing ICMP ping with HTTPS endpoint validation and detailed diagnostics for restricted environments. \ No newline at end of file From 0455ad2cf651ba6ad191aadfadc49d2ce15d2038 Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Thu, 14 May 2026 18:08:47 +0300 Subject: [PATCH 08/10] fix: Runner directory must belong to provision user (#313) --- scripts/bootstrap/node-runner.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/bootstrap/node-runner.sh b/scripts/bootstrap/node-runner.sh index a32184a4..1ee863f8 100644 --- a/scripts/bootstrap/node-runner.sh +++ b/scripts/bootstrap/node-runner.sh @@ -102,7 +102,7 @@ if [[ ! -f "runner.tar.gz" ]]; then fi echo "[+] Download URL: $RUNNER_LATEST_URL into folder $(pwd)" - if ! curl -fL "$RUNNER_LATEST_URL" -o runner.tar.gz; then + if ! sudo -u $RUNAS_USER curl -fL "$RUNNER_LATEST_URL" -o runner.tar.gz; then echo "❌ Failed to download runner archive." exit 1 fi @@ -111,9 +111,9 @@ else fi echo "[+] Extracting runner..." -tar xzf runner.tar.gz +sudo -u $RUNAS_USER tar xzf runner.tar.gz echo "[+] Setting permissions... `pwd`" -chown -R $RUNAS_USER:$RUNAS_GROUP . +sudo chown -R $RUNAS_USER:$RUNAS_GROUP . # --- GET REGISTRATION TOKEN --- echo "[+] Requesting registration token..." REG_TOKEN=$(curl -s -X POST \ @@ -133,7 +133,7 @@ sudo -u $RUNAS_USER ./config.sh \ # --- SETUP SYSTEMD SERVICE --- echo "[+] Installing systemd service..." -sudo ./svc.sh install +sudo ./svc.sh install provision # Fix service to run as specific user/group SERVICE_FILE_PATH=$(ls /etc/systemd/system/actions.runner.*.service 2>/dev/null | head -n1) From 6b1ee61353a147dd30a80f62ba67747ff5c2cc6b Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Fri, 15 May 2026 09:25:59 +0300 Subject: [PATCH 09/10] Add retry to curl command --- scripts/bootstrap/opencrvs-bootstrap.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/bootstrap/opencrvs-bootstrap.sh b/scripts/bootstrap/opencrvs-bootstrap.sh index 63b8da33..049687eb 100644 --- a/scripts/bootstrap/opencrvs-bootstrap.sh +++ b/scripts/bootstrap/opencrvs-bootstrap.sh @@ -77,6 +77,9 @@ curl_check_url() { --silent \ --location \ --head \ + --retry 3 \ + --retry-delay 2 \ + --retry-all-errors \ --max-time 10 \ --output /dev/null \ --write-out "%{http_code}" \ From 079f500bed08b54ed43329698dc11690b305649f Mon Sep 17 00:00:00 2001 From: Vadym Mudryi Date: Mon, 18 May 2026 16:00:30 +0300 Subject: [PATCH 10/10] fix: Set string variable type --- .github/workflows/deploy-opencrvs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-opencrvs.yml b/.github/workflows/deploy-opencrvs.yml index 73db9288..0a03feb1 100644 --- a/.github/workflows/deploy-opencrvs.yml +++ b/.github/workflows/deploy-opencrvs.yml @@ -145,8 +145,8 @@ jobs: --atomic \ --wait \ --wait-for-jobs \ - --set platform.tag="$CORE_IMAGE_TAG" \ - --set countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \ + --set-string platform.tag="$CORE_IMAGE_TAG" \ + --set-string countryconfig.image.tag="$COUNTRYCONFIG_IMAGE_TAG" \ --set countryconfig.image.name="$COUNTRYCONFIG_IMAGE_NAME" \ --set data_seed.env.ACTIVATE_USERS="${{ vars.ACTIVATE_USERS || 'false' }}" \ --set data_seed.enabled="${{ inputs.data-seed-enabled }}" \