Auto-skip dependency installation for production_platform repos

DudeRandom21 · claude · DudeRandom21 · commit 09dfd4c79ead · 2026-03-19T11:34:13.000-04:00
When a repo has production_platform configured and all explicitly configured deploy/rollback/task steps match a known-safe command allowlist (production-platform-next, kubernetes-deploy, kubernetes-restart), skip dependency installation automatically. This unblocks Ruby version upgrades for repos that deploy via production-platform-next, where bundle install fails due to gem incompatibilities with the new Ruby version on the shipit worker, even though those deps are never actually needed for the deploy. Refs Shopify/continuous-deployment#2454 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/app/models/shipit/deploy_spec.rb b/app/models/shipit/deploy_spec.rb
@@ -35,6 +35,12 @@ def pretty_generate?
 
     self.pretty_generate = false
 
+    SAFE_DEPLOY_COMMAND_PREFIXES = %w[
+      production-platform-next
+      kubernetes-deploy
+      kubernetes-restart
+    ].freeze
+
     def initialize(config)
       @config = config
     end
@@ -76,7 +82,18 @@ def directory
 
     def dependencies_steps
       around_steps('dependencies') do
-        config('dependencies', 'override') { discover_dependencies_steps || [] }
+        config('dependencies', 'override') do
+          if skip_dependencies_for_production_platform?
+            Rails.logger.warn(
+              "Skipping dependency installation: stack uses production_platform " \
+              "and has no deploy steps requiring local dependencies. " \
+              "To override, set `dependencies.override` in your shipit.yml."
+            )
+            []
+          else
+            discover_dependencies_steps || []
+          end
+        end
       end
     end
     alias dependencies_steps! dependencies_steps
@@ -264,6 +281,43 @@ def links
 
     private
 
+    def production_platform?
+      config('production_platform').present?
+    end
+
+    def skip_dependencies_for_production_platform?
+      return false unless production_platform?
+
+      # Only check explicitly configured steps. If deploy/rollback rely on auto-discovery
+      # (no override), we conservatively assume dependencies may be needed.
+      # Similarly, discovered task definitions (e.g., kubernetes-restart) are inherently
+      # safe commands and don't need to be checked here.
+      all_steps = Array(config('deploy', 'override')) +
+                  Array(config('deploy', 'pre')) +
+                  Array(config('deploy', 'post')) +
+                  Array(config('rollback', 'override')) +
+                  Array(config('rollback', 'pre')) +
+                  Array(config('rollback', 'post')) +
+                  all_task_steps
+
+      all_steps = all_steps.compact
+      return false if all_steps.empty?
+
+      all_steps.all? { |step| safe_deploy_command?(step) }
+    end
+
+    def all_task_steps
+      task_configs = config('tasks') || {}
+      task_configs.values.flat_map { |td| Array(td['steps']) }
+    end
+
+    def safe_deploy_command?(step)
+      step = step.to_s.strip
+      return true if step.empty?
+
+      SAFE_DEPLOY_COMMAND_PREFIXES.any? { |prefix| step == prefix || step.start_with?("#{prefix} ") }
+    end
+
     def around_steps(section)
       steps = yield
       return unless steps
diff --git a/test/models/deploy_spec_test.rb b/test/models/deploy_spec_test.rb
@@ -52,6 +52,120 @@ class DeploySpecTest < ActiveSupport::TestCase
       assert_equal ['before', 'bundle install', 'after'], @spec.dependencies_steps
     end
 
+    test '#dependencies_steps returns empty when production_platform is configured and all steps are safe' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['production-platform-next deploy my-app production-unrestricted'] }
+      )
+      assert_equal [], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps still discovers deps when production_platform has unsafe deploy steps' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['bundle exec rake deploy'] }
+      )
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps still discovers deps when production_platform is absent' do
+      @spec.stubs(:load_config).returns({})
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps respects explicit override even with production_platform' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'dependencies' => { 'override' => ['custom-install'] }
+      )
+      assert_equal ['custom-install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps preserves pre/post steps when skipping for production_platform' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['production-platform-next deploy my-app production-unrestricted'] },
+        'dependencies' => { 'pre' => ['echo before'], 'post' => ['echo after'] }
+      )
+      assert_equal ['echo before', 'echo after'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps skips deps when production_platform tasks only use safe commands' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'tasks' => {
+          'restart' => { 'steps' => ['production-platform-next run-once my-app production-unrestricted restart'] }
+        }
+      )
+      assert_equal [], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps does not skip when production_platform task has unsafe steps' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'tasks' => {
+          'migrate' => { 'steps' => ['bundle exec rake db:migrate'] }
+        }
+      )
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps skips deps when production_platform uses kubernetes-deploy' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['kubernetes-deploy --max-watch-seconds 900 my-namespace my-context'] }
+      )
+      assert_equal [], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps falls through to discovery when deploy step has unknown command' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['some-unknown-deploy-tool --flag'] }
+      )
+      @spec.expects(:discover_dependencies_steps).returns(nil).once
+      assert_equal [], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps does not skip when deploy is safe but rollback is unsafe' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => { 'override' => ['production-platform-next deploy my-app production-unrestricted'] },
+        'rollback' => { 'override' => ['bundle exec rake rollback'] }
+      )
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps does not skip when deploy.pre has unsafe steps' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] },
+        'deploy' => {
+          'pre' => ['bundle exec rake before_deploy'],
+          'override' => ['production-platform-next deploy my-app production-unrestricted']
+        }
+      )
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
+    test '#dependencies_steps does not skip when production_platform has no deploy override configured' do
+      @spec.stubs(:load_config).returns(
+        'production_platform' => { 'application' => 'my-app', 'runtime_ids' => ['production-unrestricted'] }
+      )
+      @spec.expects(:bundler?).returns(true).at_least_once
+      @spec.expects(:bundle_install).returns(['bundle install'])
+      assert_equal ['bundle install'], @spec.dependencies_steps
+    end
+
     test '#fetch_deployed_revision_steps! is unknown by default' do
       assert_raises DeploySpec::Error do
         @spec.fetch_deployed_revision_steps!
