ci: deploy the generic image to Axion staging on each main build#41
Conversation
Add deploy-staging.yml: after a green "Build and Push" run (or a manual dispatch), resolve the built image's immutable sha- tag and GHCR digest and dispatch the gitops-apps deploy pipeline (axion.yaml) with component=sandbox. That pins the sandbox tag/digest in the staging values.yaml, packages the tenant OCI artifact, and reconciles Flux. Mirrors how the axionhypothesis image workflows deploy to staging (gh workflow run axion.yaml, dispatch-only GITOPS_APPS_PAT). This is the staging sibling of deploy-thailand.yml, which instead pushes tagged releases into gitops-siam-ai (a Contents:write PAT + plain Flux-git). Continuous on main only (workflow_run guards on environment=staging from build.yml deploy-info); workflow_dispatch supports manual/rollback pins.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThis pull request adds a new GitHub Actions workflow, Estimated code review effort: 4 (Complex) | ~45 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-staging.yml:
- Around line 45-47: Restrict the deploy-staging workflow trigger so the
workflow_run event only fires for the Build and Push workflow on main, and
update the deploy gate logic to stop trusting deploy-info.json as the source of
truth. In the workflow job that handles the upstream run, add the main branch
filter on workflow_run and derive the pinned image tag from
github.event.workflow_run.head_sha instead of reading it from the downloaded
artifact; use the existing deploy job and artifact-handling steps as the place
to make this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5a03eb14-098f-4ab6-ad7e-28ada6a1b576
📒 Files selected for processing (1)
.github/workflows/deploy-staging.yml
Address PR review: instead of reading the built tag from build.yml's deploy-info artifact (and guarding on its environment field), filter the workflow_run trigger to branches: [main] and derive the immutable tag straight from the built commit (workflow_run.head_sha) — build.yml tags sha-<short> off the same SHA. The digest is still resolved from GHCR, the source of truth. Drops the artifact download, the environment/skip guard, and actions:read.
What
Adds
deploy-staging.yml— the staging CD bridge for the generic (non-Thai)agent-sandboximage.After a green Build and Push run (or a manual dispatch), it:
sha-<short>tag + GHCR digest, thengitops-apps/.github/workflows/axion.yamlwithcomponent=sandbox.axion.yaml'supdatejob then pins the sandboxtag:/digest:in the stagingvalues.yaml, packages the tenant OCI artifact, and reconciles Flux — the same path every other Axion image takes to staging.Why dispatch (not a direct commit)
GITOPS_APPS_PATis a dispatch-only PAT (Actions:write, no Contents:write) — the same one theaxionhypothesisimage workflows use. So this mirrorsaxionhypothesisbuild-images.yaml→deploy-staging:gh workflow run axion.yaml. It is the staging sibling ofdeploy-thailand.yml, which instead pushes tagged releases intogitops-siam-ai(a Contents:write PAT + plain Flux-watches-git).Entry points
workflow_runon Build and Push — continuous, main-only (guards onenvironment=stagingfrombuild.yml'sdeploy-infoartifact, so a feature-branch build can't clobber staging).workflow_dispatch— manual pin / rollback. Emptyimage_tagdeploys the branch's image (de-referenced from the moving tag to its immutablesha-); or pass an exactsha-<commit>/X.Y.Z.Depends on / prerequisites
sandboxadded as a supportedaxion.yamlcomponent (EternisAI/gitops-apps@95a8dbe). Without it acomponent=sandboxdispatch would fail — so merge order is gitops-apps first (done), this PR second.GITOPS_APPS_PATmust be available to this repo assecrets.GITOPS_APPS_PAT(repo-level, dispatch-only — same value/scope as in axionhypothesis).After merge
Staging stays on
tag: latestuntil the next green main build of this repo, or a manual Run workflow on Deploy (Staging) with an emptyimage_tag.Summary by CodeRabbit