mirror of
https://github.com/opensourcepos/opensourcepos.git
synced 2026-05-28 02:04:54 -04:00
8d6b166673
* feat: Add deployment workflows with approval gates
Add GitHub Actions workflows for controlled deployments:
deploy.yml - Manual Deploy:
- Triggered via Actions UI (workflow_dispatch)
- Select environment (production/staging)
- Select Docker image tag
- Reusable via workflow_call for other workflows
- Creates GitHub deployment records with status tracking
- Sends Docker Hub compatible webhook payload
- Environment input validation for workflow_call
deploy-pr.yml - PR Deploy:
- Auto-triggers when PR is approved (same-repo only)
- Deploys to staging environment
- Image tag format: pr-{number}-{short-sha}
- Posts deployment status as PR comment
- Fork PR protection: only runs for same-repo PRs
Security:
- jq-based JSON payload construction (prevents script injection)
- HMAC-SHA256 signature verification for webhook
- Untrusted inputs via env: blocks (not inline interpolation)
- Environment validation before deployment
- Fork detection guard for PR deployments
Fixes CodeRabbit review comments:
- Invalid jq string filter syntax (missing quotes)
- Unvalidated environment input in workflow_call
- Fork PR deployments blocked by pull_request_review restrictions
* refactor: Limit deployment to staging only
- Remove environment input choice (was production/staging)
- Hardcode environment to 'staging' throughout
- Simplify workflow - no environment validation needed
- Update concurrency group to deploy-staging
* refactor: Extract deployment logic to reusable deploy-core.yml
Restructure workflows to eliminate code duplication:
deploy-core.yml (new):
- Reusable workflow with all deployment logic
- Creates GitHub deployment record
- Sends webhook payload to external service
- Handles status updates
- Accepts image_tag, sha, description, pr_number inputs
- Outputs deployment_id and status
deploy.yml (simplified):
- Manual trigger only
- Calls deploy-core with user-provided image_tag
- 18 lines (was 175)
deploy-pr.yml (simplified):
- PR approval trigger with fork guard
- Prepare job: checkout, generate PR image tag
- Deploy job: calls deploy-core
- Comment job: post status to PR
- 70 lines (was 204)
---------
Co-authored-by: Ollama <ollama@steganos.dev>
23 lines
489 B
YAML
23 lines
489 B
YAML
name: Deploy
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
image_tag:
|
|
description: 'Docker image tag to deploy (e.g., v3.4.0, latest)'
|
|
required: true
|
|
default: 'latest'
|
|
|
|
permissions:
|
|
contents: read
|
|
deployments: write
|
|
|
|
jobs:
|
|
deploy:
|
|
name: Deploy to staging
|
|
uses: ./.github/workflows/deploy-core.yml
|
|
with:
|
|
image_tag: ${{ inputs.image_tag }}
|
|
sha: ${{ github.sha }}
|
|
description: Deploy image ${{ inputs.image_tag }}
|
|
secrets: inherit |