Skip to content

ci: deploy the generic image to Axion staging on each main build#41

Merged
sangwa merged 2 commits into
mainfrom
ci/staging-deploy-generic-image
Jul 3, 2026
Merged

ci: deploy the generic image to Axion staging on each main build#41
sangwa merged 2 commits into
mainfrom
ci/staging-deploy-generic-image

Conversation

@sangwa

@sangwa sangwa commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

Adds deploy-staging.yml — the staging CD bridge for the generic (non-Thai) agent-sandbox image.

After a green Build and Push run (or a manual dispatch), it:

  1. resolves the built image's immutable sha-<short> tag + GHCR digest, then
  2. dispatches gitops-apps/.github/workflows/axion.yaml with component=sandbox.

axion.yaml's update job then pins the sandbox tag:/digest: in the staging values.yaml, packages the tenant OCI artifact, and reconciles Flux — the same path every other Axion image takes to staging.

Why dispatch (not a direct commit)

GITOPS_APPS_PAT is a dispatch-only PAT (Actions:write, no Contents:write) — the same one the axionhypothesis image workflows use. So this mirrors axionhypothesis build-images.yamldeploy-staging: gh workflow run axion.yaml. It is the staging sibling of deploy-thailand.yml, which instead pushes tagged releases into gitops-siam-ai (a Contents:write PAT + plain Flux-watches-git).

Entry points

  • workflow_run on Build and Push — continuous, main-only (guards on environment=staging from build.yml's deploy-info artifact, so a feature-branch build can't clobber staging).
  • workflow_dispatch — manual pin / rollback. Empty image_tag deploys the branch's image (de-referenced from the moving tag to its immutable sha-); or pass an exact sha-<commit> / X.Y.Z.

Depends on / prerequisites

  • gitops-apps already merged: sandbox added as a supported axion.yaml component (EternisAI/gitops-apps@95a8dbe). Without it a component=sandbox dispatch would fail — so merge order is gitops-apps first (done), this PR second.
  • GITOPS_APPS_PAT must be available to this repo as secrets.GITOPS_APPS_PAT (repo-level, dispatch-only — same value/scope as in axionhypothesis).

After merge

Staging stays on tag: latest until the next green main build of this repo, or a manual Run workflow on Deploy (Staging) with an empty image_tag.

Summary by CodeRabbit

  • New Features
    • Added a staging deployment workflow that can run automatically after a successful main build or be started manually.
    • Automatically selects an immutable image version and forwards the resolved image details to the deployment process.
  • Bug Fixes
    • Prevents staging deployments from using mutable or missing image tags by resolving to a content-addressed digest.
    • Avoids accidental deployments by only triggering for supported staging scenarios.

Add deploy-staging.yml: after a green "Build and Push" run (or a manual
dispatch), resolve the built image's immutable sha- tag and GHCR digest
and dispatch the gitops-apps deploy pipeline (axion.yaml) with
component=sandbox. That pins the sandbox tag/digest in the staging
values.yaml, packages the tenant OCI artifact, and reconciles Flux.

Mirrors how the axionhypothesis image workflows deploy to staging
(gh workflow run axion.yaml, dispatch-only GITOPS_APPS_PAT). This is the
staging sibling of deploy-thailand.yml, which instead pushes tagged
releases into gitops-siam-ai (a Contents:write PAT + plain Flux-git).

Continuous on main only (workflow_run guards on environment=staging from
build.yml deploy-info); workflow_dispatch supports manual/rollback pins.
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d251835-db9c-4747-b83d-8d6dc08d294c

📥 Commits

Reviewing files that changed from the base of the PR and between 2956738 and f7dcafa.

📒 Files selected for processing (1)
  • .github/workflows/deploy-staging.yml

Walkthrough

This pull request adds a new GitHub Actions workflow, Deploy (Staging), for staging deployments. It runs on successful completion of Build and Push on main or via manual dispatch, resolves sandbox image tags to immutable digests, de-references moving tags to matching sha-* tags when needed, and dispatches the gitops-apps axion.yaml workflow with the resolved tag and digest. Concurrency is serialized and job permissions are read-only.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

  • EternisAI/agent-sandbox#38: Shares the same tag-to-digest pinning flow, including the fast-path sha-${GITHUB_SHA::7} check and fallback scan over sha-* tags.

Poem

A rabbit tapped the YAML tree,
Found a digest hiding in the sea. 🐇
From moving tags to sha so neat,
The staging hop is now complete.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the new staging deploy workflow for the generic image on main builds.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/staging-deploy-generic-image

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-staging.yml:
- Around line 45-47: Restrict the deploy-staging workflow trigger so the
workflow_run event only fires for the Build and Push workflow on main, and
update the deploy gate logic to stop trusting deploy-info.json as the source of
truth. In the workflow job that handles the upstream run, add the main branch
filter on workflow_run and derive the pinned image tag from
github.event.workflow_run.head_sha instead of reading it from the downloaded
artifact; use the existing deploy job and artifact-handling steps as the place
to make this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5a03eb14-098f-4ab6-ad7e-28ada6a1b576

📥 Commits

Reviewing files that changed from the base of the PR and between 5a43635 and 2956738.

📒 Files selected for processing (1)
  • .github/workflows/deploy-staging.yml

Comment thread .github/workflows/deploy-staging.yml
Address PR review: instead of reading the built tag from build.yml's
deploy-info artifact (and guarding on its environment field), filter the
workflow_run trigger to branches: [main] and derive the immutable tag
straight from the built commit (workflow_run.head_sha) — build.yml tags
sha-<short> off the same SHA. The digest is still resolved from GHCR, the
source of truth.

Drops the artifact download, the environment/skip guard, and actions:read.
@sangwa sangwa merged commit 98cc915 into main Jul 3, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant