From 4d61a7d0faec566ba13b5b69e4baeef6843dff44 Mon Sep 17 00:00:00 2001
From: Guilherme Santos <santos1709@gmail.com>
Date: Wed, 13 May 2026 15:24:36 +0200
Subject: [PATCH] Add logic to retag lcm imgs, one for each cluster

---
 .github/workflows/lcm-pipeline.yaml | 55 +++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/lcm-pipeline.yaml b/.github/workflows/lcm-pipeline.yaml
index b7b2aad87..a0618d883 100644
--- a/.github/workflows/lcm-pipeline.yaml
+++ b/.github/workflows/lcm-pipeline.yaml
@@ -293,6 +293,9 @@ jobs:
       group: infra1-runners-arc
       labels: runners-small
     needs: [ prepare-build, promote-to-stable ]
+    permissions:
+      id-token: write
+      contents: read
     if: |
       !cancelled() &&
       !contains(needs.*.result, 'failure') &&
@@ -300,19 +303,57 @@ jobs:
       needs.prepare-build.outputs.images != '' &&
       inputs.deploy
     strategy:
+      max-parallel: 1
       matrix:
         cluster: [ na1, ca2, perf1, bom1, syd1, na3, eu1, fra1 ]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
-      - name: Register bricks to ${{ matrix.cluster }}
-        uses: ./.github/actions/rundeck
+      - name: Get required Vault secrets
+        uses: hashicorp/vault-action@v3
         with:
-          server: '${{ secrets.RUNDECK_URL }}'
-          project: ${{ matrix.cluster }}-ansible
-          job-group: ansible/msf/hotfix
-          job-name: ${{ matrix.cluster }}_lcm_pipeline_component_tool
-          vault-url: ${{ secrets.VAULT_ADDRESS }}
+          url: ${{ secrets.VAULT_ADDRESS }}
+          method: jwt
+          path: jwt/github
+          role: ecr-ii-push
+          secrets: |
+            secret/data/v2/data-special/infra1-user-ecr-rw aws_ecr_access_key | AWS_ACCESS_KEY ;
+            secret/data/v2/data-special/infra1-user-ecr-rw aws_ecr_secret_key | AWS_SECRET_KEY ;
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+          aws-region: us-east-1
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
+      - name: Backup current cluster tag as old
+        env:
+          ECR_URL: ${{ secrets.ECR_URL }}
+        run: |
+          crane cp \
+            "${ECR_URL}/stable/lcm-bricks:${{ needs.prepare-build.outputs.service_major_version }}-${{ matrix.cluster }}" \
+            "${ECR_URL}/stable/lcm-bricks:${{ needs.prepare-build.outputs.service_major_version }}-${{ matrix.cluster }}-old" \
+            || echo "No existing cluster tag to back up, skipping"
+      - name: Apply cluster-specific tag
+        env:
+          ECR_URL: ${{ secrets.ECR_URL }}
+        run: |
+          crane cp \
+            "${ECR_URL}/stable/lcm-bricks:${{ needs.prepare-build.outputs.service_major_version }}" \
+            "${ECR_URL}/stable/lcm-bricks:${{ needs.prepare-build.outputs.service_major_version }}-${{ matrix.cluster }}"
+      # - name: Register bricks to ${{ matrix.cluster }}
+      #   uses: ./.github/actions/rundeck
+      #   with:
+      #     server: '${{ secrets.RUNDECK_URL }}'
+      #     project: ${{ matrix.cluster }}-ansible
+      #     job-group: ansible/msf/hotfix
+      #     job-name: ${{ matrix.cluster }}_lcm_pipeline_component_tool
+      #     vault-url: ${{ secrets.VAULT_ADDRESS }}
+      # - name: Wait for stabilization
+      #   run: sleep 900
 
   create-auto-merge-prod-pr:
     needs: [ prepare-build, build-helmreleases, register-bricks-prod ]