Recreate topic bootstrap job during deploy

Proof: full npm test passes 238/238; deploy workflow static test and bootstrap script static test cover deletion of immutable redpanda-topic-bootstrap job before manifest apply.

Assumptions: redpanda-topic-bootstrap is idempotent and safe to recreate because it only ensures Kafka topics and retention settings.

Still fake: venue-native terminal fill ids and realized fee/PnL attribution remain unavailable.

.forgejo/workflows/deploy.yml

@@ -175,6 +175,8 @@ jobs:
 
       - name: Apply release manifests and wait for rollout
         run: |
+          kubectl -n "$PROJECT_NAMESPACE" delete job redpanda-topic-bootstrap --ignore-not-found=true
+
           # Apply the rendered image after the build so no deployment ever falls back to bootstrap placeholders.
           kubectl kustomize "$WORKSPACE_DIR/deploy/k8s/base" \
             | python3 "$WORKSPACE_DIR/scripts/deploy/render_release_manifest.py" --image "$IMAGE" \

scripts/deploy/bootstrap.sh

@@ -213,6 +213,8 @@ APP_MANIFEST_IMAGE="${PROJECT_RELEASE_IMAGE:-$(current_release_image)}"
 BOOTSTRAP_IMAGE="ghcr.io/example/unrip:bootstrap"
 
 echo "applying app manifests"
+kubectl -n "$PROJECT_NAMESPACE" delete job redpanda-topic-bootstrap --ignore-not-found=true
+
 if [[ -n "$APP_MANIFEST_IMAGE" && "$APP_MANIFEST_IMAGE" != "$BOOTSTRAP_IMAGE" ]]; then
   kubectl kustomize "$ROOT_DIR/deploy/k8s/base" \
     | python3 "$ROOT_DIR/scripts/deploy/render_release_manifest.py" --image "$APP_MANIFEST_IMAGE" \

test/bootstrap_script_static_test.py

@@ -20,6 +20,14 @@ class BootstrapScriptStaticTest(unittest.TestCase):
         self.assertIn('--from-literal=OPERATOR_DASHBOARD_AUTH_PASSWORD="$OPERATOR_DASHBOARD_AUTH_PASSWORD"', source)
         self.assertIn('--operator-dashboard-auth-password "$OPERATOR_DASHBOARD_AUTH_PASSWORD"', source)
 
+    def test_bootstrap_recreates_immutable_topic_bootstrap_job(self):
+        source = (ROOT / 'scripts/deploy/bootstrap.sh').read_text()
+        delete_index = source.find('delete job redpanda-topic-bootstrap --ignore-not-found=true')
+        apply_index = source.find('kubectl kustomize "$ROOT_DIR/deploy/k8s/base"')
+        self.assertGreater(delete_index, -1)
+        self.assertGreater(apply_index, -1)
+        self.assertLess(delete_index, apply_index)
+
 
 if __name__ == '__main__':
     unittest.main()

test/deploy-workflow-static.test.mjs

@@ -13,6 +13,14 @@ test('deploy workflow upserts dashboard password before applying public dashboar
   assert.match(workflow, /--patch-file "\$patch_file"/);
 });
 
+test('deploy workflow recreates immutable topic bootstrap job through the repo path', () => {
+  const deleteIndex = workflow.indexOf('delete job redpanda-topic-bootstrap --ignore-not-found=true');
+  const applyIndex = workflow.indexOf('kubectl kustomize "$WORKSPACE_DIR/deploy/k8s/base"');
+  assert.ok(deleteIndex > -1, 'workflow deletes the immutable bootstrap job');
+  assert.ok(applyIndex > -1, 'workflow applies rendered manifests');
+  assert.ok(deleteIndex < applyIndex, 'workflow deletes the immutable bootstrap job before applying manifests');
+});
+
 test('Forgejo bootstrap can publish dashboard password as a repo action secret', () => {
   assert.match(forgejoBootstrap, /--operator-dashboard-auth-password/);
   assert.match(forgejoBootstrap, /OPERATOR_DASHBOARD_AUTH_PASSWORD/);