mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-05-28 10:15:09 -04:00
8d6b166673
* feat: Add deployment workflows with approval gates
Add GitHub Actions workflows for controlled deployments:
deploy.yml - Manual Deploy:
- Triggered via Actions UI (workflow_dispatch)
- Select environment (production/staging)
- Select Docker image tag
- Reusable via workflow_call for other workflows
- Creates GitHub deployment records with status tracking
- Sends Docker Hub compatible webhook payload
- Environment input validation for workflow_call
deploy-pr.yml - PR Deploy:
- Auto-triggers when PR is approved (same-repo only)
- Deploys to staging environment
- Image tag format: pr-{number}-{short-sha}
- Posts deployment status as PR comment
- Fork PR protection: only runs for same-repo PRs
Security:
- jq-based JSON payload construction (prevents script injection)
- HMAC-SHA256 signature verification for webhook
- Untrusted inputs via env: blocks (not inline interpolation)
- Environment validation before deployment
- Fork detection guard for PR deployments
Fixes CodeRabbit review comments:
- Invalid jq string filter syntax (missing quotes)
- Unvalidated environment input in workflow_call
- Fork PR deployments blocked by pull_request_review restrictions
* refactor: Limit deployment to staging only
- Remove environment input choice (was production/staging)
- Hardcode environment to 'staging' throughout
- Simplify workflow - no environment validation needed
- Update concurrency group to deploy-staging
* refactor: Extract deployment logic to reusable deploy-core.yml
Restructure workflows to eliminate code duplication:
deploy-core.yml (new):
- Reusable workflow with all deployment logic
- Creates GitHub deployment record
- Sends webhook payload to external service
- Handles status updates
- Accepts image_tag, sha, description, pr_number inputs
- Outputs deployment_id and status
deploy.yml (simplified):
- Manual trigger only
- Calls deploy-core with user-provided image_tag
- 18 lines (was 175)
deploy-pr.yml (simplified):
- PR approval trigger with fork guard
- Prepare job: checkout, generate PR image tag
- Deploy job: calls deploy-core
- Comment job: post status to PR
- 70 lines (was 204)
---------
Co-authored-by: Ollama <ollama@steganos.dev>
79 lines
2.5 KiB
YAML
79 lines
2.5 KiB
YAML
name: PR Deploy
|
|
|
|
on:
|
|
pull_request_review:
|
|
types: [submitted]
|
|
|
|
concurrency:
|
|
group: staging-deploy
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: read
|
|
deployments: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
prepare:
|
|
name: Prepare deployment
|
|
runs-on: ubuntu-latest
|
|
if: >
|
|
github.event.review.state == 'approved' &&
|
|
github.event.pull_request.head.repo.full_name == github.repository
|
|
outputs:
|
|
image_tag: ${{ steps.image.outputs.tag }}
|
|
sha: ${{ github.event.pull_request.head.sha }}
|
|
pr_number: ${{ github.event.pull_request.number }}
|
|
|
|
steps:
|
|
- name: Checkout PR
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
|
|
- name: Get image tag
|
|
id: image
|
|
env:
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
PR_SHA: ${{ github.event.pull_request.head.sha }}
|
|
run: |
|
|
IMAGE_TAG="pr-${PR_NUMBER}-${PR_SHA:0:7}"
|
|
echo "tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
|
|
|
|
deploy:
|
|
name: Deploy to staging
|
|
needs: prepare
|
|
uses: ./.github/workflows/deploy-core.yml
|
|
with:
|
|
image_tag: ${{ needs.prepare.outputs.image_tag }}
|
|
sha: ${{ needs.prepare.outputs.sha }}
|
|
description: Deploy PR #${{ needs.prepare.outputs.pr_number }} to staging
|
|
pr_number: ${{ needs.prepare.outputs.pr_number }}
|
|
secrets: inherit
|
|
|
|
comment:
|
|
name: Comment deployment status
|
|
needs: [prepare, deploy]
|
|
if: always()
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
IMAGE_TAG: ${{ needs.prepare.outputs.image_tag }}
|
|
PR_NUMBER: ${{ needs.prepare.outputs.pr_number }}
|
|
REF_SHA: ${{ needs.prepare.outputs.sha }}
|
|
STATUS: ${{ needs.deploy.outputs.status }}
|
|
|
|
steps:
|
|
- name: Comment on PR
|
|
run: |
|
|
if [ "$STATUS" = "success" ]; then
|
|
BODY=$(jq -nr --arg tag "$IMAGE_TAG" --arg sha "$REF_SHA" --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \
|
|
'"✅ **Staging deployment completed**\n\n🔗 **URL**: https://dev.opensourcepos.org\n📦 **Image Tag**: `\($tag)`\n🔨 **Commit**: \($sha)\n\nView logs: \($url)"')
|
|
else
|
|
BODY=$(jq -nr --arg url "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \
|
|
'"❌ **Staging deployment failed**\n\nCheck the [workflow logs](\($url)) for details."')
|
|
fi
|
|
|
|
gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
|
|
-X POST \
|
|
-f body="$BODY" |