From f5fd4baa8763a90ded78472d0b60d6645dc6491d Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 30 Apr 2026 10:29:39 -0600
Subject: [PATCH] ci: gate sync on successful test workflow run

Switch sync's trigger from `push: branches: [main]` to a
workflow_run on the test workflow, with a job-level gate that
only proceeds on `conclusion == success` (or manual dispatch).
After a merge to main, sync now waits for pre-commit to finish
and only patches the ArgoCD Applications if the test passed.

The synced revision is the head_sha of the upstream workflow run
(falling back to github.sha for manual dispatch).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/sync.yml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index 4e4eb64..9aef506 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -1,10 +1,14 @@
 ---
 name: sync
 
+# Triggered on successful completion of the `test` workflow on main, so a
+# merged PR's pre-commit run gates the ArgoCD sync. Manual dispatch is also
+# supported for re-syncing without a new commit.
 on:
-  push:
-    branches:
-      - main
+  workflow_run:
+    workflows: [test]
+    types: [completed]
+    branches: [main]
   workflow_dispatch:
 
 permissions:
@@ -12,15 +16,18 @@ permissions:
 
 jobs:
   sync:
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     # In-cluster runner; kubectl uses its auto-mounted SA token to talk to
     # the API directly. The tfroot-runner image has kubectl preinstalled.
     runs-on: arc-tf
 
     steps:
       - name: Sync ArgoCD bootstrap Applications
+        env:
+          REVISION: ${{ github.event.workflow_run.head_sha || github.sha }}
         run: |
           for app in bootstrap-secrets gitops-operators gitops-workloads; do
             kubectl -n argocd patch application "$app" \
               --type=merge \
-              -p '{"operation":{"initiatedBy":{"username":"github-actions"},"sync":{"revision":"${{ github.sha }}"}}}'
+              -p "{\"operation\":{\"initiatedBy\":{\"username\":\"github-actions\"},\"sync\":{\"revision\":\"${REVISION}\"}}}"
           done