fix(webapp): guard failBackgroundWorkerDeployment with BUILDING predicate

myftija · myftija · commit 5cba4853a87d · 2026-05-28T21:08:51.000+02:00
Symmetric with the BUILDING → DEPLOYING `updateMany` guard. Without this,
two attempts running side-by-side (idempotency lets the retry proceed past
worker creation) can produce: A succeeds and flips to DEPLOYING; B hits a
transient file/resource/schedule error and unconditionally flips to FAILED;
A's subsequent guarded update finds 0 rows; deployment is stuck in FAILED
with a worker registered but never deployed.

Now the failure handler only flips status on rows that are still BUILDING.
The timeout dequeue is also gated on the actual flip so we don't cancel a
sibling attempt's just-enqueued timeout.
diff --git a/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts b/apps/webapp/app/v3/services/createDeploymentBackgroundWorkerV4.server.ts
@@ -232,9 +232,14 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
   }
 
   async #failBackgroundWorkerDeployment(deployment: WorkerDeployment, error: Error) {
-    await this._prisma.workerDeployment.update({
+    // Guarded BUILDING → FAILED transition, symmetric with the BUILDING → DEPLOYING
+    // transition in `call()`. With idempotent retries, two attempts can run side-by-side;
+    // without the predicate, one attempt's failure could downgrade the deployment after
+    // the other already flipped it to DEPLOYING, leaving it stuck in FAILED with a worker.
+    const { count: updatedCount } = await this._prisma.workerDeployment.updateMany({
       where: {
         id: deployment.id,
+        status: "BUILDING",
       },
       data: {
         status: "FAILED",
@@ -246,7 +251,20 @@ export class CreateDeploymentBackgroundWorkerServiceV4 extends BaseService {
       },
     });
 
-    await TimeoutDeploymentService.dequeue(deployment.id, this._prisma);
+    if (updatedCount === 0) {
+      logger.warn(
+        "failBackgroundWorkerDeployment: deployment moved out of BUILDING during call, skipping FAILED transition",
+        {
+          deploymentId: deployment.id,
+          originalError: error.message,
+        }
+      );
+    } else {
+      // Only dequeue the timeout if we actually flipped to FAILED — otherwise a
+      // sibling attempt may have just enqueued it as part of a successful
+      // BUILDING → DEPLOYING transition.
+      await TimeoutDeploymentService.dequeue(deployment.id, this._prisma);
+    }
 
     throw error;
   }
