Skip to content

ci: move production deploy to declarative setup #3068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
levivannoort merged 1 commit into from
Jun 29, 2026
Merged

ci: move production deploy to declarative setup #3068

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 35 additions & 43 deletions .github/workflows/production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,27 +6,28 @@ on:
workflow_dispatch:

env:
ENVIRONMENT: production
PROJECT: website
DECLARATIVE_OWNER: appwrite-labs
DECLARATIVE_REPOSITORY: assets-applications
TAG: ${{ github.event.release.tag_name || github.sha }}
STACK_FILE: docker/production.yml
REPOSITORY: website
REGISTRY_USERNAME: christyjacob4

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Login to DockerHub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: true
Expand All @@ -49,49 +50,40 @@ jobs:
"SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}"
"SENTRY_RELEASE=${{ github.event.release.tag_name }}"

deploy_kubernetes:
deploy:
if: github.event_name != 'release' || !contains(github.event.release.tag_name, '-rc')
strategy:
matrix:
region: [{ full: fra1, short: fra }]
needs: build
runs-on: ubuntu-latest
concurrency:
group: declarative-deploy-website
cancel-in-progress: false
Comment on lines +57 to +59

@greptile-apps greptile-apps Bot Jun 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Shared concurrency group with staging may queue production releases

Both production.yml (this file, line 57-59) and staging.yml (line 72-74) use the exact same concurrency group name declarative-deploy-website. Because GitHub Actions concurrency groups are scoped across workflows in the same repo, a staging deploy triggered by every push to main will block a production release (and vice versa) until it finishes. With cancel-in-progress: false the queuing is silent — a production release could be delayed waiting on an unrelated staging run. Since the two environments write to different paths (staging/website/default.yaml vs production/website/default.yaml) in the target repo, there is no actual git-conflict reason to serialise them. Consider suffixing the group name with the environment, e.g. declarative-deploy-website-${{ env.ENVIRONMENT }}.

steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Install Kubectl
uses: azure/setup-kubectl@v4
- name: Install Helm
uses: azure/setup-helm@v4
- name: Install doctl
uses: digitalocean/action-doctl@v2
- name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
id: app-token
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Save DigitalOcean kubeconfig with short-lived credentials
run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 assets-${{ matrix.region.full }}-prod

- name: Ensure namespaces exist
run: |
kubectl create namespace website --dry-run=client -o yaml | kubectl apply -f -
app-id: ${{ vars.DECLARATIVE_DEPLOYMENT_GITHUB_APP_ID }}
private-key: ${{ secrets.DECLARATIVE_DEPLOYMENT_GITHUB_APP_PRIVATE_KEY }}
owner: ${{ env.DECLARATIVE_OWNER }}
repositories: ${{ env.DECLARATIVE_REPOSITORY }}

- name: Create docker pull secret
run: |
kubectl -n website create secret docker-registry ghcr \
--docker-server=ghcr.io \
--docker-username=${{ secrets.GHCR_USERNAME }} \
--docker-password=${{ secrets.GHCR_TOKEN }} \
--docker-email=ci@appwrite.io \
--dry-run=client -o yaml | kubectl apply -f -
- name: Checkout ${{ env.DECLARATIVE_REPOSITORY }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: ${{ env.DECLARATIVE_OWNER }}/${{ env.DECLARATIVE_REPOSITORY }}
token: ${{ steps.app-token.outputs.token }}

- name: Create app secrets
run: |
kubectl -n website create secret generic website-secrets \
--from-literal=STATSIG_SERVER_SECRET='${{ secrets.STATSIG_SERVER_SECRET }}' \
--dry-run=client -o yaml | kubectl apply -f -
- name: Update image tag
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml

- name: Deploy
- name: Commit and push
run: |
helm upgrade --install --namespace website website deploy/website/ \
--values deploy/website/environments/production/${{ matrix.region.full }}.values.yaml \
--set imagePullSecret='ghcr' \
--set version=${{ env.TAG }}
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
if git diff --cached --quiet; then
echo "No changes to commit"
else
git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
git push
fi
19 changes: 11 additions & 8 deletions .github/workflows/staging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,24 +25,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ${{ env.REGISTRY_GITHUB }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ${{ env.REGISTRY_DOCKERHUB }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: true
Expand All @@ -69,30 +69,33 @@ jobs:
deploy:
needs: build
runs-on: ubuntu-latest
concurrency:
group: declarative-deploy-website
cancel-in-progress: false
steps:
- name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
id: app-token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
with:
app-id: ${{ vars.DECLARATIVE_DEPLOYMENT_GITHUB_APP_ID }}
private-key: ${{ secrets.DECLARATIVE_DEPLOYMENT_GITHUB_APP_PRIVATE_KEY }}
owner: ${{ env.DECLARATIVE_OWNER }}
repositories: ${{ env.DECLARATIVE_REPOSITORY }}

- name: Checkout ${{ env.DECLARATIVE_REPOSITORY }}
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
repository: ${{ env.DECLARATIVE_OWNER }}/${{ env.DECLARATIVE_REPOSITORY }}
token: ${{ steps.app-token.outputs.token }}

- name: Update image tag
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml

- name: Commit and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
if git diff --cached --quiet; then
echo "No changes to commit"
else
Expand Down
Loading