feat: add failure diagnostics and fix health check asymmetry

owine · claude · owine · commit a536998f230a · 2026-03-14T18:46:32.000-05:00
Capture container states, health check output, and container
logs at the point of deployment failure before rollback destroys
the evidence. Run health check after any deployment attempt,
not just successful ones, so new stack failures get the same
diagnostic treatment as existing stacks.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -658,7 +658,9 @@ jobs:
 
       - name: Health Check All Services
         id: health
-        if: steps.backup.outputs.deployment_needed == 'true' && (steps.deploy-existing.outcome == 'success' || steps.deploy-existing.outcome == 'skipped') && (steps.deploy-new.outcome == 'success' || steps.deploy-new.outcome == 'skipped')
+        # Run health check after any deployment attempt (success or failure) to capture system state
+        # When a deployment fails, this provides diagnostics before rollback cleans up containers
+        if: steps.backup.outputs.deployment_needed == 'true' && (steps.deploy-existing.conclusion != 'skipped' || steps.deploy-new.conclusion != 'skipped')
         continue-on-error: true
         run: |
           # Use auto-detected critical stacks if enabled, otherwise use manual input
diff --git a/scripts/deployment/deploy-stacks.sh b/scripts/deployment/deploy-stacks.sh
@@ -206,6 +206,50 @@ fi
       DEPLOY_TIMEOUT=$((IMAGE_PULL_TIMEOUT + SERVICE_STARTUP_TIMEOUT))
       if ! timeout $DEPLOY_TIMEOUT op run --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml up -d --build --pull always --quiet-pull --quiet-build --wait --remove-orphans $COMPOSE_ARGS; then
         echo "❌ Failed to deploy $STACK during $OPERATION (timeout or error)"
+        echo ""
+        echo "📋 Failure Diagnostics for $STACK"
+        echo "────────────────────────────────────────────────────────────────"
+
+        # Capture container states (requires op run to parse compose.yaml)
+        echo "📊 Container States:"
+        op run --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml ps -a --format 'table {{.Name}}\t{{.Service}}\t{{.State}}\t{{.Health}}' 2>/dev/null || echo "  ⚠️ Could not retrieve container states"
+        echo ""
+
+        # Capture logs and health output from unhealthy/failed containers (plain docker - no op run needed)
+        ps_output=$(op run --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml ps -a --format '{{.Name}}\t{{.State}}\t{{.Health}}' 2>/dev/null || echo "")
+        while IFS=$'\t' read -r name state health; do
+          [ -z "$name" ] && continue
+          capture=false
+          case "$state" in
+            running)
+              [ "$health" = "unhealthy" ] || [ "$health" = "starting" ] && capture=true
+              ;;
+            exited|restarting)
+              capture=true
+              ;;
+          esac
+
+          if [ "$capture" = true ]; then
+            echo "🔸 Container: $name ($state / $health)"
+            echo "────────────────────────────────"
+
+            # Health check output (last 3 checks)
+            has_healthcheck=$(docker inspect --format='{{if .State.Health}}yes{{else}}no{{end}}' "$name" 2>/dev/null) || has_healthcheck="no"
+            if [ "$has_healthcheck" = "yes" ]; then
+              echo "📍 Health Check Output:"
+              docker inspect --format='Status: {{.State.Health.Status}} | FailingStreak: {{.State.Health.FailingStreak}}{{if .State.Health.Log}}{{range $i, $log := .State.Health.Log}}{{if lt $i 3}}
+  [Exit={{.ExitCode}}] {{.Output}}{{end}}{{end}}{{end}}' "$name" 2>/dev/null || echo "  Could not retrieve health output"
+              echo ""
+            fi
+
+            echo "📋 Container Logs (last 50 lines):"
+            docker logs --tail 50 --timestamps "$name" 2>&1 || echo "  ⚠️ Could not retrieve logs"
+            echo "────────────────────────────────"
+            echo ""
+          fi
+        done <<< "$ps_output"
+
+        echo "════════════════════════════════════════════════════════════════"
         exit 1
       fi
 
diff --git a/scripts/deployment/rollback-stacks.sh b/scripts/deployment/rollback-stacks.sh
@@ -230,6 +230,50 @@ ROLLBACK_RESULT=$({
       DEPLOY_TIMEOUT=$((IMAGE_PULL_TIMEOUT + SERVICE_STARTUP_TIMEOUT))
       if ! timeout $DEPLOY_TIMEOUT op run --no-masking --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml up -d --build --pull always --quiet-pull --quiet-build --wait --remove-orphans $COMPOSE_ARGS; then
         echo "❌ Failed to roll back $STACK during $OPERATION (timeout or error)"
+        echo ""
+        echo "📋 Failure Diagnostics for $STACK"
+        echo "────────────────────────────────────────────────────────────────"
+
+        # Capture container states (requires op run to parse compose.yaml)
+        echo "📊 Container States:"
+        op run --no-masking --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml ps -a --format 'table {{.Name}}\t{{.Service}}\t{{.State}}\t{{.Health}}' 2>/dev/null || echo "  ⚠️ Could not retrieve container states"
+        echo ""
+
+        # Capture logs and health output from unhealthy/failed containers (plain docker - no op run needed)
+        ps_output=$(op run --no-masking --env-file=/opt/compose/compose.env -- docker compose -f compose.yaml ps -a --format '{{.Name}}\t{{.State}}\t{{.Health}}' 2>/dev/null || echo "")
+        while IFS=$'\t' read -r name state health; do
+          [ -z "$name" ] && continue
+          capture=false
+          case "$state" in
+            running)
+              [ "$health" = "unhealthy" ] || [ "$health" = "starting" ] && capture=true
+              ;;
+            exited|restarting)
+              capture=true
+              ;;
+          esac
+
+          if [ "$capture" = true ]; then
+            echo "🔸 Container: $name ($state / $health)"
+            echo "────────────────────────────────"
+
+            # Health check output (last 3 checks)
+            has_healthcheck=$(docker inspect --format='{{if .State.Health}}yes{{else}}no{{end}}' "$name" 2>/dev/null) || has_healthcheck="no"
+            if [ "$has_healthcheck" = "yes" ]; then
+              echo "📍 Health Check Output:"
+              docker inspect --format='Status: {{.State.Health.Status}} | FailingStreak: {{.State.Health.FailingStreak}}{{if .State.Health.Log}}{{range $i, $log := .State.Health.Log}}{{if lt $i 3}}
+  [Exit={{.ExitCode}}] {{.Output}}{{end}}{{end}}{{end}}' "$name" 2>/dev/null || echo "  Could not retrieve health output"
+              echo ""
+            fi
+
+            echo "📋 Container Logs (last 50 lines):"
+            docker logs --tail 50 --timestamps "$name" 2>&1 || echo "  ⚠️ Could not retrieve logs"
+            echo "────────────────────────────────"
+            echo ""
+          fi
+        done <<< "$ps_output"
+
+        echo "════════════════════════════════════════════════════════════════"
         exit 1
       fi
 
