cleanup GitHub action releases

.github/workflows/_gcp-deploy.yml

@@ -0,0 +1,87 @@
+name: GCP Deploy
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        description: 'The environment to deploy to'
+        type: string
+
+jobs:
+  gcp-deploy:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    env:
+      IMAGE_PATH: us-west1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/sourcebot/sourcebot-${{ vars.NEXT_PUBLIC_SOURCEBOT_CLOUD_ENVIRONMENT }}
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@v3'
+        with:
+          submodules: "true"
+
+      # @see: https://github.com/google-github-actions/auth?tab=readme-ov-file#direct-wif
+      - name: 'Google auth'
+        id: 'auth'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: '${{ secrets.GCP_PROJECT_ID }}'
+          workload_identity_provider: '${{ secrets.GCP_WIF_PROVIDER }}'
+
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v1'
+        with:
+          project_id: '${{ secrets.GCP_PROJECT_ID }}'
+
+      - name: 'Docker auth'
+        run: |-
+          gcloud auth configure-docker us-west1-docker.pkg.dev
+
+      - name: Configure SSH
+        run: |
+          mkdir -p ~/.ssh/
+          echo "${{ secrets.GCP_SSH_PRIVATE_KEY }}" > ~/.ssh/private.key
+          chmod 600 ~/.ssh/private.key
+          echo "${{ secrets.GCP_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+
+      - name: Build Docker image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.IMAGE_PATH }}:${{ github.sha }}
+            ${{ env.IMAGE_PATH }}:latest
+          build-args: |
+            NEXT_PUBLIC_SOURCEBOT_VERSION=${{ github.ref_name }}
+            NEXT_PUBLIC_POSTHOG_PAPIK=${{ vars.NEXT_PUBLIC_POSTHOG_PAPIK }}
+            NEXT_PUBLIC_SOURCEBOT_CLOUD_ENVIRONMENT=${{ vars.NEXT_PUBLIC_SOURCEBOT_CLOUD_ENVIRONMENT }}
+            NEXT_PUBLIC_SENTRY_ENVIRONMENT=${{ vars.NEXT_PUBLIC_SENTRY_ENVIRONMENT }}
+            NEXT_PUBLIC_SENTRY_WEBAPP_DSN=${{ vars.NEXT_PUBLIC_SENTRY_WEBAPP_DSN }}
+            NEXT_PUBLIC_SENTRY_BACKEND_DSN=${{ vars.NEXT_PUBLIC_SENTRY_BACKEND_DSN }}
+            SENTRY_SMUAT=${{ secrets.SENTRY_SMUAT }}
+            SENTRY_ORG=${{ vars.SENTRY_ORG }}
+            SENTRY_WEBAPP_PROJECT=${{ vars.SENTRY_WEBAPP_PROJECT }}
+            SENTRY_BACKEND_PROJECT=${{ vars.SENTRY_BACKEND_PROJECT }}
+
+
+      - name: Deploy to GCP
+        run: |
+          ssh -i ~/.ssh/private.key ${{ secrets.GCP_USERNAME }}@${{ secrets.GCP_HOST }} << 'EOF'
+            # First pull the new image
+            docker pull ${{ env.IMAGE_PATH }}:${{ github.sha }}
+
+            # Stop and remove any existing container
+            docker stop -t 60 sourcebot || true
+            docker rm sourcebot || true
+
+            # Run the new container
+            docker run -d \
+              -p 80:3000 \
+              --rm \
+              --env-file .env \
+              -v /mnt/data:/data \
+              --name sourcebot \
+              ${{ env.IMAGE_PATH }}:${{ github.sha }}
+          EOF

.github/workflows/deploy-prod.yml

@@ -0,0 +1,18 @@
+name: Deploy Prod
+
+on:
+  push:
+    tags: ["v*.*.*"]
+  workflow_dispatch:
+
+jobs:
+  deploy-prod:
+    uses: ./.github/workflows/_gcp-deploy.yml
+    secrets: inherit
+    permissions:
+      contents: 'read'
+      # Requird for OIDC auth with GCP.
+      # @see: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: 'write'
+    with:
+      environment: prod

.github/workflows/deploy-staging.yml

@@ -0,0 +1,20 @@
+name: Deploy Staging
+
+on:
+  push:
+    # @todo: remove v3 after merge is complete.
+    branches: [main, v3]
+    tags: ["v*.*.*"]
+  workflow_dispatch:
+
+jobs:
+  deploy-staging:
+    uses: ./.github/workflows/_gcp-deploy.yml
+    secrets: inherit
+    permissions:
+      contents: 'read'
+      # Requird for OIDC auth with GCP.
+      # @see: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: 'write'
+    with:
+      environment: staging

.github/workflows/ghcr-publish.yml

@@ -15,6 +15,7 @@ env:
 jobs:
   build:
     runs-on: ${{ matrix.runs-on}}
+    environment: oss
     permissions:
       contents: read
       packages: write
@@ -30,8 +31,6 @@ jobs:
           - platform: linux/arm64
             runs-on: ubuntu-24.04-arm
 
-
-
     steps:
       - name: Prepare
         run: |
@@ -79,8 +78,8 @@ jobs:
           platforms: ${{ matrix.platform }}
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
           build-args: |
-            SOURCEBOT_VERSION=${{ github.ref_name }}
-            POSTHOG_PAPIK=${{ secrets.POSTHOG_PAPIK }}
+            NEXT_PUBLIC_SOURCEBOT_VERSION=${{ github.ref_name }}
+            NEXT_PUBLIC_POSTHOG_PAPIK=${{ vars.NEXT_PUBLIC_POSTHOG_PAPIK }}
 
       - name: Export digest
         run: |