From 78785dfca09bcb4e63d25d30547845d8eeba39f4 Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:23:41 -0300 Subject: [PATCH 01/10] fix: Align rollback.yml with packages-deploy.yml best practices - Add id-token: write to permissions for OIDC authentication - Move checkout to first step (was at step 10 of 11) - Add --delete flag to rsync to keep VPS in sync - Create and sync .env file with DD_API_KEY before deployment - Recreate .env during remote deploy to ensure secrets are loaded This fixes critical issues preventing the workflow from executing correctly on GitHub Actions, aligning it with the proven patterns in packages-deploy.yml Co-Authored-By: Claude Haiku 4.5 --- .github/workflows/rollback.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 6c70416..8826c19 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -19,8 +19,14 @@ jobs: contents: write packages: read pull-requests: write + id-token: write steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Determine rollback version run: | if [ -n "${{ github.event.inputs.version }}" ]; then @@ -119,16 +125,22 @@ jobs: start_period: 60s EOF - - name: Sync rollback compose to VPS + - name: Create temporary .env file + run: | + echo "DD_API_KEY=${{ secrets.DATADOG_API_KEY }}" > .env + + - name: Sync rollback compose and env to VPS run: | - rsync -avz \ - docker-compose.rollback.yaml \ + rsync -avz --delete \ + docker-compose.rollback.yaml .env \ ${{ secrets.VPS_SSH_USER }}@${{ secrets.VPS_SSH_HOST }}:/home/ubuntu/app/site/ - name: Deploy rollback version on VPS run: | ssh ${{ secrets.VPS_SSH_USER }}@${{ secrets.VPS_SSH_HOST }} << 'EOF' cd /home/ubuntu/app/site + rm -f .env + echo "DD_API_KEY=${{ secrets.DATADOG_API_KEY }}" >> .env docker compose -f docker-compose.rollback.yaml pull docker compose -f docker-compose.rollback.yaml up -d --remove-orphans docker system prune -f @@ -149,11 +161,6 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Create rollback PR run: | ROLLBACK_TAG="v${ROLLBACK_VERSION}" From 367a668e0ca888eb153f6eafb45c9b12dbb5014f Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:30:08 -0300 Subject: [PATCH 02/10] fix: Correct YAML syntax error in rollback PR body - Use heredoc syntax for multi-line PR body instead of inline string - Fixes GitHub Actions validation error on line 193 Co-Authored-By: Claude Haiku 4.5 --- .github/workflows/rollback.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 8826c19..e46c61c 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -188,7 +188,8 @@ jobs: --base main \ --head ${PR_BRANCH} \ --title "Rollback: Revert to v${ROLLBACK_VERSION}" \ - --body "🚨 **Automatic Rollback PR** + --body "$(cat <<'PRBODY' +🚨 **Automatic Rollback PR** This PR reverts the codebase to version \`v${ROLLBACK_VERSION}\` to match the environment rollback. @@ -201,7 +202,9 @@ This PR reverts the codebase to version \`v${ROLLBACK_VERSION}\` to match the en 2. Merge this PR to update main with the previous stable version --- -*This PR was automatically created by the Rollback workflow*" +*This PR was automatically created by the Rollback workflow* +PRBODY +)" else echo "PR #${EXISTING_PR} already exists for this rollback" fi From 58ab27746ab74374fff5c5d677ae7b7c3a58f865 Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:32:20 -0300 Subject: [PATCH 03/10] fix: Correct YAML syntax in rollback PR creation - Use variable assignment instead of inline command substitution - Separate PR body creation from gh pr create command - Fixes YAML parsing errors Co-Authored-By: Claude Haiku 4.5 --- .github/workflows/rollback.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index e46c61c..1d44110 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -184,17 +184,13 @@ jobs: if [ -z "$EXISTING_PR" ]; then # Create new PR - gh pr create \ - --base main \ - --head ${PR_BRANCH} \ - --title "Rollback: Revert to v${ROLLBACK_VERSION}" \ - --body "$(cat <<'PRBODY' + PR_BODY=$(cat <<'PRBODY' 🚨 **Automatic Rollback PR** -This PR reverts the codebase to version \`v${ROLLBACK_VERSION}\` to match the environment rollback. +This PR reverts the codebase to version to match the environment rollback. **What changed:** -- Environment was rolled back to version \`v${ROLLBACK_VERSION}\` +- Environment was rolled back to the previous stable version - This PR synchronizes the source code to match **Instructions:** @@ -204,7 +200,12 @@ This PR reverts the codebase to version \`v${ROLLBACK_VERSION}\` to match the en --- *This PR was automatically created by the Rollback workflow* PRBODY -)" +) + gh pr create \ + --base main \ + --head ${PR_BRANCH} \ + --title "Rollback: Revert to v${ROLLBACK_VERSION}" \ + --body "$PR_BODY" else echo "PR #${EXISTING_PR} already exists for this rollback" fi From 8ef86cc87c0cb3382b90ec46bb5c562f62a4605f Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:34:00 -0300 Subject: [PATCH 04/10] fix: Remove multiline heredoc from run block to fix YAML syntax error - Replace heredoc PR body with single-line string - Heredoc with emoji was causing YAML parsing errors Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 1d44110..d60baeb 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -184,28 +184,11 @@ jobs: if [ -z "$EXISTING_PR" ]; then # Create new PR - PR_BODY=$(cat <<'PRBODY' -🚨 **Automatic Rollback PR** - -This PR reverts the codebase to version to match the environment rollback. - -**What changed:** -- Environment was rolled back to the previous stable version -- This PR synchronizes the source code to match - -**Instructions:** -1. Review the changes carefully -2. Merge this PR to update main with the previous stable version - ---- -*This PR was automatically created by the Rollback workflow* -PRBODY -) gh pr create \ --base main \ --head ${PR_BRANCH} \ --title "Rollback: Revert to v${ROLLBACK_VERSION}" \ - --body "$PR_BODY" + --body "Automatic Rollback PR - This PR reverts the codebase to v${ROLLBACK_VERSION} to match the environment rollback. Review the changes carefully and merge to update main with the previous stable version. This PR was automatically created by the Rollback workflow." else echo "PR #${EXISTING_PR} already exists for this rollback" fi From 92ce830f29aa7f62585cf99e2a9b8fac27ba11e1 Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:49:30 -0300 Subject: [PATCH 05/10] fix: Add workflows write permission to allow branch creation from tags The rollback PR step creates a branch from a release tag that contains workflow files, which requires the workflows permission. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index d60baeb..770a0c6 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -20,6 +20,7 @@ jobs: packages: read pull-requests: write id-token: write + workflows: write steps: - name: Checkout repository From b723b225f479db3f496dc58d394f22238e2abcfa Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:51:31 -0300 Subject: [PATCH 06/10] fix: Remove invalid workflows permission and use PAT for branch push - workflows is not a valid job-level permission in GitHub Actions - GITHUB_TOKEN cannot push branches containing workflow files - Use GH_PAT secret (needs workflow scope) for the git push instead Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 770a0c6..a88bc63 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -20,7 +20,6 @@ jobs: packages: read pull-requests: write id-token: write - workflows: write steps: - name: Checkout repository @@ -167,6 +166,9 @@ jobs: ROLLBACK_TAG="v${ROLLBACK_VERSION}" PR_BRANCH="rollback/${ROLLBACK_VERSION}" + # Use PAT to allow pushing branches that contain workflow files + git remote set-url origin https://x-access-token:${{ secrets.GH_PAT }}@github.com/${{ github.repository }} + # Check if branch already exists if git rev-parse --verify origin/${PR_BRANCH} >/dev/null 2>&1; then echo "Branch ${PR_BRANCH} already exists, updating it" From 68188d95aae734d5af491ace029910756a6da0ba Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 16:59:33 -0300 Subject: [PATCH 07/10] fix: Pass GH_PAT to checkout action to allow pushing workflow files The actions/checkout configures git credentials internally via http.extraheader, overriding any subsequent remote set-url. Passing the PAT directly to the token parameter ensures all git operations (including push) use the PAT with workflow scope. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index a88bc63..e3fdef5 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + token: ${{ secrets.GH_PAT }} - name: Determine rollback version run: | @@ -166,9 +167,6 @@ jobs: ROLLBACK_TAG="v${ROLLBACK_VERSION}" PR_BRANCH="rollback/${ROLLBACK_VERSION}" - # Use PAT to allow pushing branches that contain workflow files - git remote set-url origin https://x-access-token:${{ secrets.GH_PAT }}@github.com/${{ github.repository }} - # Check if branch already exists if git rev-parse --verify origin/${PR_BRANCH} >/dev/null 2>&1; then echo "Branch ${PR_BRANCH} already exists, updating it" From 163e9240b157537800f9552c7b3712b0c0cff34a Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 17:07:34 -0300 Subject: [PATCH 08/10] fix: Use GH_PAT for gh pr create in rollback PR step GITHUB_TOKEN is not permitted to create PRs via GitHub Actions. Using GH_PAT (with pull-requests write scope) fixes the error: 'GitHub Actions is not permitted to create or approve pull requests' Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index e3fdef5..89d4251 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -194,7 +194,7 @@ jobs: echo "PR #${EXISTING_PR} already exists for this rollback" fi env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GH_PAT }} environment: name: Production From 88011a962ee2d7c25849294b0acb4d29b06c23dc Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 17:17:45 -0300 Subject: [PATCH 09/10] feat: Add connection string log before engine build Co-Authored-By: Claude Sonnet 4.6 --- .../src/infrastructure/adapters/outbound_postgres_adapter.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/backend/src/infrastructure/adapters/outbound_postgres_adapter.py b/backend/src/infrastructure/adapters/outbound_postgres_adapter.py index 7038340..f940702 100644 --- a/backend/src/infrastructure/adapters/outbound_postgres_adapter.py +++ b/backend/src/infrastructure/adapters/outbound_postgres_adapter.py @@ -38,11 +38,12 @@ def build_connection_string(self) -> str: def build_engine(self, retry_interval: int = 5): attempt = 0 - + logger.info(f"Conectando ao banco de dados: {self._obfuscated_connection_string()}") + while True: attempt += 1 try: - engine = create_engine(self.connection_string, + engine = create_engine(self.connection_string, echo=False, pool_size=5, max_overflow=10, From 79caafe799e28d4ccdb138fc1952920bcb0e3602 Mon Sep 17 00:00:00 2001 From: IvanildoBarauna Date: Wed, 4 Mar 2026 17:39:17 -0300 Subject: [PATCH 10/10] fix: Add fetch-tags to checkout so rollback branch is created from correct tag commit Without fetch-tags, the tag is not resolved locally and the rollback branch ends up pointing to the same commit as main. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/rollback.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index 89d4251..88fa04c 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + fetch-tags: true token: ${{ secrets.GH_PAT }} - name: Determine rollback version