Skip to content

Revert "ci: move production deploy to declarative setup, #3063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atharvadeosthale merged 1 commit into from
Jun 26, 2026
Merged

Revert "ci: move production deploy to declarative setup, #3063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 43 additions & 35 deletions .github/workflows/production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,28 +6,27 @@ on:
workflow_dispatch:

env:
ENVIRONMENT: production
PROJECT: website
DECLARATIVE_OWNER: appwrite-labs
DECLARATIVE_REPOSITORY: assets-applications
TAG: ${{ github.event.release.tag_name || github.sha }}
STACK_FILE: docker/production.yml
REPOSITORY: website
REGISTRY_USERNAME: christyjacob4
Comment on lines 9 to +12

@greptile-apps greptile-apps Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Three unused env vars left in the workflow

STACK_FILE, REPOSITORY, and REGISTRY_USERNAME are declared in env but are never referenced by any step in the workflow. These appear to be leftovers from an older docker-compose-style deployment approach and can be safely removed to keep the workflow clean.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!


jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
uses: actions/checkout@v4

- name: Login to DockerHub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
uses: docker/build-push-action@v6
Comment on lines +19 to +29

@greptile-apps greptile-apps Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Unpinned action references expose supply chain risk

This revert drops the SHA-pinned action references that PR #3061 introduced (e.g., actions/checkout@34e114876..., docker/build-push-action@10e90e36...) in favor of mutable version tags (@v4, @v3, @v6). Mutable tags can be silently redirected by a compromised or hijacked upstream account, meaning the next deployment run could execute attacker-controlled code with access to all the secrets passed in this workflow (DIGITALOCEAN_ACCESS_TOKEN, GHCR_TOKEN, STATSIG_SERVER_SECRET, etc.). The same regression affects every unpinned action in staging.yml.

with:
context: .
push: true
Expand All @@ -50,40 +49,49 @@ jobs:
"SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}"
"SENTRY_RELEASE=${{ github.event.release.tag_name }}"

deploy:
deploy_kubernetes:
if: github.event_name != 'release' || !contains(github.event.release.tag_name, '-rc')
strategy:
matrix:
region: [{ full: fra1, short: fra }]
needs: build
runs-on: ubuntu-latest
concurrency:
group: declarative-deploy-website
cancel-in-progress: false
steps:
- name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
id: app-token
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
- name: Checkout the repo
uses: actions/checkout@v4
- name: Install Kubectl
uses: azure/setup-kubectl@v4
- name: Install Helm
uses: azure/setup-helm@v4
- name: Install doctl
uses: digitalocean/action-doctl@v2
with:
app-id: ${{ vars.DECLARATIVE_DEPLOYMENT_GITHUB_APP_ID }}
private-key: ${{ secrets.DECLARATIVE_DEPLOYMENT_GITHUB_APP_PRIVATE_KEY }}
owner: ${{ env.DECLARATIVE_OWNER }}
repositories: ${{ env.DECLARATIVE_REPOSITORY }}
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Save DigitalOcean kubeconfig with short-lived credentials
run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 assets-${{ matrix.region.full }}-prod

- name: Checkout ${{ env.DECLARATIVE_REPOSITORY }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: ${{ env.DECLARATIVE_OWNER }}/${{ env.DECLARATIVE_REPOSITORY }}
token: ${{ steps.app-token.outputs.token }}
- name: Ensure namespaces exist
run: |
kubectl create namespace website --dry-run=client -o yaml | kubectl apply -f -

- name: Update image tag
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
- name: Create docker pull secret
run: |
kubectl -n website create secret docker-registry ghcr \
--docker-server=ghcr.io \
--docker-username=${{ secrets.GHCR_USERNAME }} \
--docker-password=${{ secrets.GHCR_TOKEN }} \
--docker-email=ci@appwrite.io \
--dry-run=client -o yaml | kubectl apply -f -

- name: Create app secrets
run: |
kubectl -n website create secret generic website-secrets \
--from-literal=STATSIG_SERVER_SECRET='${{ secrets.STATSIG_SERVER_SECRET }}' \
--dry-run=client -o yaml | kubectl apply -f -

- name: Commit and push
- name: Deploy
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
if git diff --cached --quiet; then
echo "No changes to commit"
else
git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
git push
fi
helm upgrade --install --namespace website website deploy/website/ \
--values deploy/website/environments/production/${{ matrix.region.full }}.values.yaml \
--set imagePullSecret='ghcr' \
--set version=${{ env.TAG }}
19 changes: 8 additions & 11 deletions .github/workflows/staging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,24 +25,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@v6

- name: Login to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY_GITHUB }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY_DOCKERHUB }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
uses: docker/build-push-action@v6
with:
context: .
push: true
Expand All @@ -69,33 +69,30 @@ jobs:
deploy:
needs: build
runs-on: ubuntu-latest
concurrency:
group: declarative-deploy-website
cancel-in-progress: false
steps:
- name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
id: app-token
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.DECLARATIVE_DEPLOYMENT_GITHUB_APP_ID }}
private-key: ${{ secrets.DECLARATIVE_DEPLOYMENT_GITHUB_APP_PRIVATE_KEY }}
owner: ${{ env.DECLARATIVE_OWNER }}
repositories: ${{ env.DECLARATIVE_REPOSITORY }}

- name: Checkout ${{ env.DECLARATIVE_REPOSITORY }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@v6
with:
repository: ${{ env.DECLARATIVE_OWNER }}/${{ env.DECLARATIVE_REPOSITORY }}
token: ${{ steps.app-token.outputs.token }}

- name: Update image tag
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml

- name: Commit and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
if git diff --cached --quiet; then
echo "No changes to commit"
else
Expand Down
Loading