From 81f9661fab3d18551babea8cbdfe21a285a490ba Mon Sep 17 00:00:00 2001 From: Christie Ellks Date: Wed, 21 Jan 2026 14:23:26 -0800 Subject: [PATCH 1/5] check v2_resolve_allow_unregistered value and override unregister calls --- scripts/deploy_cloud_esp.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/deploy_cloud_esp.sh b/scripts/deploy_cloud_esp.sh index 4d14718abb..78f8b52cae 100755 --- a/scripts/deploy_cloud_esp.sh +++ b/scripts/deploy_cloud_esp.sh @@ -85,6 +85,14 @@ if [[ "$DEPLOYMENT" == "mixer" ]]; then export IP=$(yq eval '.ip' $HELM_VALUES_FILE) yq eval -i '.endpoints[0].target = env(IP)' endpoints.yaml yq eval -i '.endpoints[0].name = env(SERVICE_NAME)' endpoints.yaml + + # Check for V2Resolve override + V2_RESOLVE_ALLOW_UNREGISTERED=$(yq eval '.esp.v2_resolve_allow_unregistered' $HELM_VALUES_FILE) + if [[ "$V2_RESOLVE_ALLOW_UNREGISTERED" == "false" ]]; then + echo "Overriding allow_unregistered_calls to false for datacommons.Mixer.V2Resolve" + yq eval -i '(.usage.rules[] | select(.selector == "datacommons.Mixer.V2Resolve").allow_unregistered_calls) = false' endpoints.yaml + fi + echo "endpoints.yaml content:" cat endpoints.yaml fi From c236b413802fe414add33a3a856f3d100df47f21 Mon Sep 17 00:00:00 2001 From: Christie Ellks Date: Wed, 21 Jan 2026 16:38:08 -0800 Subject: [PATCH 2/5] clarify script-runner and add doc comments --- build/ci/cloudbuild.push.yaml | 4 ++++ build/ci/cloudbuild.push_image.yaml | 4 ++++ scripts/deploy_cloud_esp.sh | 1 + tools/script_runner/README.md | 8 +++++++- tools/script_runner/cloudbuild.push_image.yaml | 7 +++++-- 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/build/ci/cloudbuild.push.yaml b/build/ci/cloudbuild.push.yaml index 62e70ffeea..0edf3bf541 100644 --- a/build/ci/cloudbuild.push.yaml +++ b/build/ci/cloudbuild.push.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Official CI/CD pipeline for building and pushing release images to GCR. +# Triggered automatically on every push to the master branch. +# DO NOT trigger this manually. Manual runs will tag images with official release tags (autopush) and trigger downstream deployment builds. + steps: # Trigger downstream builds that listen for changes to multiple repos. - id: update-repo-version diff --git a/build/ci/cloudbuild.push_image.yaml b/build/ci/cloudbuild.push_image.yaml index b60d366273..540e810589 100644 --- a/build/ci/cloudbuild.push_image.yaml +++ b/build/ci/cloudbuild.push_image.yaml @@ -12,6 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +# Manual Cloud Build pipeline for building and pushing images to GCR. +# Trigger this manually (e.g., via /scripts/push_image.sh) for development deployments or testing custom images. +# This is NOT used by the official CI/CD pipeline nor any automated triggers. + steps: - id: push-web-server name: gcr.io/cloud-builders/docker diff --git a/scripts/deploy_cloud_esp.sh b/scripts/deploy_cloud_esp.sh index 78f8b52cae..4e6ce71da6 100755 --- a/scripts/deploy_cloud_esp.sh +++ b/scripts/deploy_cloud_esp.sh @@ -88,6 +88,7 @@ if [[ "$DEPLOYMENT" == "mixer" ]]; then # Check for V2Resolve override V2_RESOLVE_ALLOW_UNREGISTERED=$(yq eval '.esp.v2_resolve_allow_unregistered' $HELM_VALUES_FILE) + echo "V2Resolve allow_unregistered_calls: $V2_RESOLVE_ALLOW_UNREGISTERED" if [[ "$V2_RESOLVE_ALLOW_UNREGISTERED" == "false" ]]; then echo "Overriding allow_unregistered_calls to false for datacommons.Mixer.V2Resolve" yq eval -i '(.usage.rules[] | select(.selector == "datacommons.Mixer.V2Resolve").allow_unregistered_calls) = false' endpoints.yaml diff --git a/tools/script_runner/README.md b/tools/script_runner/README.md index cd7bb046c3..50de58b3b9 100644 --- a/tools/script_runner/README.md +++ b/tools/script_runner/README.md @@ -10,6 +10,12 @@ The `cloudbuild.push_image.yaml` file defines a Cloud Build job that builds and You can trigger the build using the `gcloud` command-line tool. +> [!WARNING] +> The `latest` tag is used by the official CI/CD pipeline and all deployment environments (autopush, staging, prod). +> Pushing to `latest` manually can affect subsequent cicd deployments. +> Please use a custom tag (e.g., `dev-username`) using substitutionsfor testing unless you explicitly intend to update the official image. + + ```bash -gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci +gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci --substitutions=_TAG_NAME=dev-calinc ``` diff --git a/tools/script_runner/cloudbuild.push_image.yaml b/tools/script_runner/cloudbuild.push_image.yaml index 1b87f14f2f..0411087274 100644 --- a/tools/script_runner/cloudbuild.push_image.yaml +++ b/tools/script_runner/cloudbuild.push_image.yaml @@ -12,14 +12,17 @@ # See the License for the specific language governing permissions and # limitations under the License. +substitutions: + _TAG_NAME: latest + steps: - name: "gcr.io/cloud-builders/docker" args: - build - - --tag=gcr.io/datcom-ci/datacommons-script-runner:latest + - --tag=gcr.io/datcom-ci/datacommons-script-runner:${_TAG_NAME} - "." - -f - "tools/script_runner/Dockerfile" images: - - "gcr.io/datcom-ci/datacommons-script-runner:latest" \ No newline at end of file + - "gcr.io/datcom-ci/datacommons-script-runner:${_TAG_NAME}" \ No newline at end of file From c5a62de6cfc00c424ba0af247e6e4f94a24f9782 Mon Sep 17 00:00:00 2001 From: Christie Ellks Date: Wed, 21 Jan 2026 16:52:32 -0800 Subject: [PATCH 3/5] nit --- scripts/deploy_cloud_esp.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/deploy_cloud_esp.sh b/scripts/deploy_cloud_esp.sh index 4e6ce71da6..78f8b52cae 100755 --- a/scripts/deploy_cloud_esp.sh +++ b/scripts/deploy_cloud_esp.sh @@ -88,7 +88,6 @@ if [[ "$DEPLOYMENT" == "mixer" ]]; then # Check for V2Resolve override V2_RESOLVE_ALLOW_UNREGISTERED=$(yq eval '.esp.v2_resolve_allow_unregistered' $HELM_VALUES_FILE) - echo "V2Resolve allow_unregistered_calls: $V2_RESOLVE_ALLOW_UNREGISTERED" if [[ "$V2_RESOLVE_ALLOW_UNREGISTERED" == "false" ]]; then echo "Overriding allow_unregistered_calls to false for datacommons.Mixer.V2Resolve" yq eval -i '(.usage.rules[] | select(.selector == "datacommons.Mixer.V2Resolve").allow_unregistered_calls) = false' endpoints.yaml From 6c72cb78d90e45cc1a7fcdee70780778ba949b73 Mon Sep 17 00:00:00 2001 From: Christie Ellks Date: Wed, 21 Jan 2026 17:32:32 -0800 Subject: [PATCH 4/5] fix gemini nits --- tools/script_runner/README.md | 7 ++++--- tools/script_runner/cloudbuild.push_image.yaml | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/tools/script_runner/README.md b/tools/script_runner/README.md index 50de58b3b9..9c606902fa 100644 --- a/tools/script_runner/README.md +++ b/tools/script_runner/README.md @@ -11,11 +11,12 @@ The `cloudbuild.push_image.yaml` file defines a Cloud Build job that builds and You can trigger the build using the `gcloud` command-line tool. > [!WARNING] +> Please use a custom tag (e.g., `dev-username`) for testing. > The `latest` tag is used by the official CI/CD pipeline and all deployment environments (autopush, staging, prod). > Pushing to `latest` manually can affect subsequent cicd deployments. -> Please use a custom tag (e.g., `dev-username`) using substitutionsfor testing unless you explicitly intend to update the official image. - +> Only use the tag `latest` if you need to deploy an emergency fix for immediate pickup by the pipeline. +You must provide a tag name using substitutions: ```bash -gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci --substitutions=_TAG_NAME=dev-calinc +gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml --project=datcom-ci --substitutions=_TAG_NAME=dev-myuser ``` diff --git a/tools/script_runner/cloudbuild.push_image.yaml b/tools/script_runner/cloudbuild.push_image.yaml index 0411087274..a67ec8a13e 100644 --- a/tools/script_runner/cloudbuild.push_image.yaml +++ b/tools/script_runner/cloudbuild.push_image.yaml @@ -11,9 +11,16 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -substitutions: - _TAG_NAME: latest +# Cloud Build configuration for manual building of the script runner image. +# +# Usage: +# This build requires a _TAG_NAME substitution to be provided. +# Do NOT use 'latest' unless fixing a critical issue for the pipeline. +# +# Example Command: +# gcloud builds submit --config tools/script_runner/cloudbuild.push_image.yaml \ +# --project=datcom-ci \ +# --substitutions=_TAG_NAME=dev-myuser steps: - name: "gcr.io/cloud-builders/docker" From 2a5c4bc86b2a78d0917600591af0fd46af1e26dc Mon Sep 17 00:00:00 2001 From: Christie Ellks Date: Wed, 21 Jan 2026 18:10:38 -0800 Subject: [PATCH 5/5] add todo cleanup comment --- scripts/deploy_cloud_esp.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/deploy_cloud_esp.sh b/scripts/deploy_cloud_esp.sh index 78f8b52cae..3440300892 100755 --- a/scripts/deploy_cloud_esp.sh +++ b/scripts/deploy_cloud_esp.sh @@ -87,6 +87,7 @@ if [[ "$DEPLOYMENT" == "mixer" ]]; then yq eval -i '.endpoints[0].name = env(SERVICE_NAME)' endpoints.yaml # Check for V2Resolve override + # TODO(/v2/resolve cleanup): Delete once /v2/resolve always requires an api key. V2_RESOLVE_ALLOW_UNREGISTERED=$(yq eval '.esp.v2_resolve_allow_unregistered' $HELM_VALUES_FILE) if [[ "$V2_RESOLVE_ALLOW_UNREGISTERED" == "false" ]]; then echo "Overriding allow_unregistered_calls to false for datacommons.Mixer.V2Resolve"