inject preview deployments into nested stacks

[xh3b4sd]

Fixes https://linear.app/splits/issue/PE-4885/emit-debug-logs-for-every-single-release-that-causes-state-drift-in.
Towards https://linear.app/splits/issue/PE-4788/support-vercel-like-preview-deployments.

{
    "time": "2025-09-17 15:38:12",
    "level": "info",
    "message": "continuing reconciliation loop",
    "domain": "1D0FD508.lite.testing.splits.org",
    "reason": "detected state drift",
    "release": "splits-lite",
    "version": "e307253e62c2da119579e2505db0b6185642ab9b",
    "caller": "/Users/xh3b4sd/project/0xSplits/kayron/pkg/operator/policy/ensure.go:68"
}

[xh3b4sd]

This is ugly, but this enables us to reuse some information in one place, which we already fetched from the Github API in another place. E.g. the preview worker handler resets the preview flag of the release artifact of any main release that defines preview releases for its entire repository. I don't know how to make this better at this point in time.

[xh3b4sd]

We are hashing branch names for identifying preview deployments inside all of AWS. We also have to create the preview deployment domain using some kind of deterministic identifier based on the preview branch. Turned out we cannot just use branch names in preview domains because branch names have a far wider character set than domain names allow for. E.g. the domain feature/branch.lite.splits.org is invalid.

[xh3b4sd]

We are marking almost all worker handlers in Kayron as always active. The alternative would be to wrap every worker handler in a proxy worker handler, but I thought this approach here is more explicit.

[xh3b4sd]

At this point we have potentially many ECS Services using the same service tag. So we have to differentiate via the preview tags, which contain the branch based preview hashes.

[xh3b4sd]

Here we potentially inject the preview deployments into the CloudFormation templates before uploading to S3.

[xh3b4sd]

Here we can see how the CloudFormation templates get extended.

[mihoward21]

and it just keeps adding to the end as new previews are created? and then once a preview is done (i.e. PR is merged/closed) it drops the updates in here related to that PR?

[xh3b4sd]

At the moment we only append. If we have outputs in those appended templates we can make sure to put the expanded resources into the Resources section properly.

Once the pull requests are not open anymore the respective resources do not get added anymore to the templates, because when we look for open pull requests in pkg/preview/expand.go, then we will not get that merged/closed result anymore.

	opt := &github.PullRequestListOptions{
		State: "open",
		ListOptions: github.ListOptions{
			PerPage: 100,
		},
	}

	var pul []*github.PullRequest
	{
		pul, _, err = p.git.PullRequests.List(context.Background(), p.own, rel.Github.String(), opt)
		if err != nil {
			return nil, tracer.Mask(err)
		}
	}

[xh3b4sd]

We do not deploy previews for e.g. dependabot PRs. We can extend this list any time.

[xh3b4sd]

Here is where the ref comes from that we already fetched when searching for pull requests. If we have this ref, then we do not need to lookup those refs for every single branch in the reference worker handler.

[xh3b4sd]

This here is all super ugly, but it works.

[xh3b4sd]

We should see something like this in the logs

[mihoward21]

ok, went through it all. just a few comments/questions. is this wired up on splits lite right now? can i go create some branches/pr's and play around with it there?

[mihoward21]

what exactly is this doing? can't tell what the regex is looking for / replacing

[mihoward21]

ah ok i see below in the test how this works.

[mihoward21]

so do we need to "reserve" a certain number of priorities per service? i.e. lite.splits.org is allotted 50 - 99, explorer.splits.org is allotted 100 - 149, teams.splits.org is allotted 150 - 199?

[mihoward21]

ah well i guess just for the testing environment. but yea i think the same general idea.

[mihoward21]

and it just keeps adding to the end as new previews are created? and then once a preview is done (i.e. PR is merged/closed) it drops the updates in here related to that PR?

[xh3b4sd]

can i go create some branches/pr's and play around with it there?

This should work for all deployed services that we define releases for. Saying that, I am realizing we can shoot ourselves potentially in the foot by defining previews for e.g. Kayron itself. That wouldn't work because Kayron is not exposed to the internet, and therefore doesn't have e.g. the ListenerRule to copy. And so the stack update would fail etc. Maybe we need a whitelist/blacklist approach here or document those details some more. Having said that, removing the preview config from the release definition should bring the CloudFormation stack back to health again, so the failed state is not critical.

For Splits Lite this works already. See 0xSplits/splits-lite#44.