From 7d44ba8e8e2bdc51ba005cacc1d3a6335d80d075 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Wed, 13 May 2026 11:57:58 +0300
Subject: [PATCH 1/2] chore(ci): use check_previous_channel_release action

Drops the local .github/check_previous_channel_release.sh in favor of
the deckhouse/modules-actions/check_previous_channel_release@v14
composite action, which fixes the version.json parser so it handles
pretty-printed multi-line output from yq -o=json as well as the
single-line layout.

See deckhouse/modules-actions#73.
---
 .github/check_previous_channel_release.sh | 38 -------------
 .github/workflows/deploy_prod.yml         | 65 ++++++++++++++++-------
 2 files changed, 45 insertions(+), 58 deletions(-)
 delete mode 100644 .github/check_previous_channel_release.sh

diff --git a/.github/check_previous_channel_release.sh b/.github/check_previous_channel_release.sh
deleted file mode 100644
index 6c36466b..00000000
--- a/.github/check_previous_channel_release.sh
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/bash
-
-crane="/usr/local/bin/crane"
-repositoryName=$1
-edition=$2
-channel=$3
-version=$4
-user=$5
-password=$6
-
-echo "Module $repositoryName, edition $edition, channel $channel, version $version"
-
-if [[ "$channel" == "alpha" ]]; then
- echo "Deploying $version to alpha channel"
- exit 0
-elif [[ "$channel" == "beta" ]]; then
- previousChannel="alpha"
-elif [[ "$channel" == "early-access" ]]; then
- previousChannel="beta"
-elif [[ "$channel" == "stable" ]]; then
- previousChannel="early-access"
-elif [[ "$channel" == "rock-solid" ]]; then
- previousChannel="stable"
-else
- echo "Unknown channel"
- exit 1
-fi
-
-echo "Checking previous channel $previousChannel"
-$crane auth login -u $user -p $password registry.deckhouse.io
-previousChannelVersion=$($crane export registry.deckhouse.io/deckhouse/$edition/modules/$repositoryName/release:$previousChannel | grep -aoE '\{"version":".*"\}' | jq -r .version)
-if [[ "$version" == "$previousChannelVersion" ]]; then
- echo "Previous channel $previousChannel version $previousChannelVersion is equal desired version $version, processing"
- exit 0
-else
- echo "Previous channel $previousChannel version $previousChannelVersion is not equal desired version $version, rejecting"
- exit 1
-fi
diff --git a/.github/workflows/deploy_prod.yml b/.github/workflows/deploy_prod.yml
index 952ad20a..977a4ecf 100644
--- a/.github/workflows/deploy_prod.yml
+++ b/.github/workflows/deploy_prod.yml
@@ -79,10 +79,15 @@ jobs:
           registry: ${{ vars.PROD_REGISTRY }}
           registry_login: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
           registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
-      - name: Check previous release
-        run: |
-          chmod +x .github/check_previous_channel_release.sh
-          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME ce $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/check_previous_channel_release@v14
+        with:
+          module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/ce/modules"
+          module_name: ${{ vars.MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.channel }}
+          registry: ${{ vars.PROD_REGISTRY }}
+          registry_login: license-token
+          registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
         with:
           module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/ce/modules"
@@ -108,10 +113,15 @@ jobs:
           registry: ${{ vars.PROD_REGISTRY }}
           registry_login: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
           registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
-      - name: Check previous release
-        run: |
-          chmod +x .github/check_previous_channel_release.sh
-          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME ee $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/check_previous_channel_release@v14
+        with:
+          module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/ee/modules"
+          module_name: ${{ vars.MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.channel }}
+          registry: ${{ vars.PROD_REGISTRY }}
+          registry_login: license-token
+          registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
         with:
           module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/ee/modules"
@@ -137,10 +147,15 @@ jobs:
           registry: ${{ vars.PROD_REGISTRY }}
           registry_login: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
           registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
-      - name: Check previous release
-        run: |
-          chmod +x .github/check_previous_channel_release.sh
-          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME fe $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/check_previous_channel_release@v14
+        with:
+          module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/fe/modules"
+          module_name: ${{ vars.MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.channel }}
+          registry: ${{ vars.PROD_REGISTRY }}
+          registry_login: license-token
+          registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
         with:
           module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/fe/modules"
@@ -166,10 +181,15 @@ jobs:
           registry: ${{ vars.PROD_REGISTRY }}
           registry_login: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
           registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
-      - name: Check previous release
-        run: |
-          chmod +x .github/check_previous_channel_release.sh
-          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME se $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/check_previous_channel_release@v14
+        with:
+          module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/se/modules"
+          module_name: ${{ vars.MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.channel }}
+          registry: ${{ vars.PROD_REGISTRY }}
+          registry_login: license-token
+          registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
         with:
           module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/se/modules"
@@ -195,10 +215,15 @@ jobs:
           registry: ${{ vars.PROD_REGISTRY }}
           registry_login: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
           registry_password: ${{ secrets.PROD_MODULES_REGISTRY_PASSWORD }}
-      - name: Check previous release
-        run: |
-          chmod +x .github/check_previous_channel_release.sh
-          .github/check_previous_channel_release.sh $MODULES_MODULE_NAME se-plus $RELEASE_CHANNEL $MODULES_MODULE_TAG license-token $MODULES_READ_REGISTRY_PASSWORD
+      - uses: deckhouse/modules-actions/check_previous_channel_release@v14
+        with:
+          module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/se-plus/modules"
+          module_name: ${{ vars.MODULE_NAME }}
+          module_tag: ${{ github.event.inputs.tag }}
+          release_channel: ${{ github.event.inputs.channel }}
+          registry: ${{ vars.PROD_REGISTRY }}
+          registry_login: license-token
+          registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
         with:
           module_source: "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_MODULE_SOURCE_NAME }}/se-plus/modules"

From 4f0d92a26ccec12521c577eb129453a3c074fb3f Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Wed, 13 May 2026 13:20:50 +0300
Subject: [PATCH 2/2] chore(ci): read previous channel from PROD_REGISTRY_READ

The check_previous_channel_release composite action now swaps the
domain of module_source with its `registry` input before pulling, so
the previous-channel image can be read from a read-only registry mirror
without changing the deploy target. Pass `vars.PROD_REGISTRY_READ` to
take advantage of that.

Depends on the swap-domain change in deckhouse/modules-actions (PR #75
for v14).
---
 .github/workflows/deploy_prod.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy_prod.yml b/.github/workflows/deploy_prod.yml
index 977a4ecf..9b87e411 100644
--- a/.github/workflows/deploy_prod.yml
+++ b/.github/workflows/deploy_prod.yml
@@ -85,7 +85,7 @@ jobs:
           module_name: ${{ vars.MODULE_NAME }}
           module_tag: ${{ github.event.inputs.tag }}
           release_channel: ${{ github.event.inputs.channel }}
-          registry: ${{ vars.PROD_REGISTRY }}
+          registry: ${{ vars.PROD_REGISTRY_READ }}
           registry_login: license-token
           registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
@@ -119,7 +119,7 @@ jobs:
           module_name: ${{ vars.MODULE_NAME }}
           module_tag: ${{ github.event.inputs.tag }}
           release_channel: ${{ github.event.inputs.channel }}
-          registry: ${{ vars.PROD_REGISTRY }}
+          registry: ${{ vars.PROD_REGISTRY_READ }}
           registry_login: license-token
           registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
@@ -153,7 +153,7 @@ jobs:
           module_name: ${{ vars.MODULE_NAME }}
           module_tag: ${{ github.event.inputs.tag }}
           release_channel: ${{ github.event.inputs.channel }}
-          registry: ${{ vars.PROD_REGISTRY }}
+          registry: ${{ vars.PROD_REGISTRY_READ }}
           registry_login: license-token
           registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
@@ -187,7 +187,7 @@ jobs:
           module_name: ${{ vars.MODULE_NAME }}
           module_tag: ${{ github.event.inputs.tag }}
           release_channel: ${{ github.event.inputs.channel }}
-          registry: ${{ vars.PROD_REGISTRY }}
+          registry: ${{ vars.PROD_REGISTRY_READ }}
           registry_login: license-token
           registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4
@@ -221,7 +221,7 @@ jobs:
           module_name: ${{ vars.MODULE_NAME }}
           module_tag: ${{ github.event.inputs.tag }}
           release_channel: ${{ github.event.inputs.channel }}
-          registry: ${{ vars.PROD_REGISTRY }}
+          registry: ${{ vars.PROD_REGISTRY_READ }}
           registry_login: license-token
           registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
       - uses: deckhouse/modules-actions/deploy@v4