Merge pull request #110 from BehindTheMusicTree/feature/upgrade-github-workflows

ci: upgrade to github-workflows v2.0.0 (set-image-tags, sync-env pin)

Author: Andreas-Garcia

.github/actionlint.yaml

@@ -10,12 +10,12 @@ config-variables:
   - STATIC_FILES
   - STATIC_FILES_URL
   - SERVER_HOST
-  - REDEPLOYMENT_ROOT
   - BTMT_REDEPLOYMENT_HOOK_ID_BASE
   - DEMO_EMAIL
   - SUPERADMIN_EMAIL
   - AFP_APP_NAME
   - AFP_IMAGE_REPO
+  - IMAGE_TAGS_POOL_DIR
   - SPOTIFY_CLIENT_ID_STAGING
   - SPOTIFY_CLIENT_ID_PROD
   - SPOTIFY_SCOPES

.github/workflows/publish.yml

@@ -93,26 +93,20 @@ jobs:
     environment: ${{ needs.determine-version.outputs.deployment_environment }}
     env:
       AFP_VERSION: ${{ vars.AFP_VERSION }}
-      REDEPLOYMENT_ROOT: ${{ vars.REDEPLOYMENT_ROOT }}
+      IMAGE_TAGS_POOL_DIR: ${{ vars.IMAGE_TAGS_POOL_DIR }}
       BTMT_REDEPLOYMENT_HOOK_ID_BASE: ${{ vars.BTMT_REDEPLOYMENT_HOOK_ID_BASE }}
-      HTMT_API_APP_NAME: ${{ vars.HTMT_API_APP_NAME }}
-      DB_APP_NAME_SUFFIX: ${{ vars.DB_APP_NAME_SUFFIX }}
-      AFP_APP_NAME: ${{ vars.AFP_APP_NAME }}
     outputs:
       afp_version: ${{ steps.pinned.outputs.afp_version }}
       redeployment_hook_id_base: ${{ steps.pinned.outputs.redeployment_hook_id_base }}
     steps:
-      - name: Require deploy and app-name vars (set-image-tag-on-server)
+      - name: Require deploy vars (set-image-tags-on-server)
         run: |
           missing=""
-          [ -z "${REDEPLOYMENT_ROOT}" ] && missing="${missing} REDEPLOYMENT_ROOT"
+          [ -z "${IMAGE_TAGS_POOL_DIR}" ] && missing="${missing} IMAGE_TAGS_POOL_DIR"
           [ -z "${BTMT_REDEPLOYMENT_HOOK_ID_BASE}" ] && missing="${missing} BTMT_REDEPLOYMENT_HOOK_ID_BASE"
-          [ -z "${HTMT_API_APP_NAME}" ] && missing="${missing} HTMT_API_APP_NAME"
-          [ -z "${DB_APP_NAME_SUFFIX}" ] && missing="${missing} DB_APP_NAME_SUFFIX"
-          [ -z "${AFP_APP_NAME}" ] && missing="${missing} AFP_APP_NAME"
           if [ -n "$missing" ]; then
             echo "ERROR: Set Variables on this job's GitHub Environment (STAGING or PROD) or at repository/org level:$missing"
-            echo "Example: REDEPLOYMENT_ROOT=/var/webhook/redeployment, BTMT_REDEPLOYMENT_HOOK_ID_BASE=..., HTMT_API_APP_NAME=htmt-api, DB_APP_NAME_SUFFIX=-db, AFP_APP_NAME=afp (must match infrastructure)"
+            echo "Example: IMAGE_TAGS_POOL_DIR=/srv/btmt/image-tags, BTMT_REDEPLOYMENT_HOOK_ID_BASE=... (must match infrastructure)"
             exit 1
           fi
       - name: Require pinned AFP image tag
@@ -129,40 +123,25 @@ jobs:
           echo "afp_version=$AFP_VERSION" >> "$GITHUB_OUTPUT"
           echo "redeployment_hook_id_base=${BTMT_REDEPLOYMENT_HOOK_ID_BASE}" >> "$GITHUB_OUTPUT"
 
-  set-version-api:
-    name: Set API version on server
+  set-image-tags:
+    name: Set image tags on server
     needs: [build-and-push, determine-version, check-pinned-tags]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/set-image-tag-on-server.yml@main
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/set-image-tags-on-server.yml@v2.0.0
     with:
       env: ${{ needs.determine-version.outputs.env }}
-      tag: ${{ needs.determine-version.outputs.image_tag }}
-      app_name: ${{ vars.HTMT_API_APP_NAME }}
-    secrets: inherit
-
-  set-version-db:
-    name: Set DB version on server
-    needs: [determine-version, check-pinned-tags]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/set-image-tag-on-server.yml@main
-    with:
-      env: ${{ needs.determine-version.outputs.env }}
-      tag: '16.4'
-      app_name: ${{ format('{0}{1}', vars.HTMT_API_APP_NAME, vars.DB_APP_NAME_SUFFIX) }}
-    secrets: inherit
-
-  set-version-afp:
-    name: Set AFP version on server
-    needs: [determine-version, check-pinned-tags]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/set-image-tag-on-server.yml@main
-    with:
-      env: ${{ needs.determine-version.outputs.env }}
-      tag: ${{ needs.check-pinned-tags.outputs.afp_version }}
-      app_name: ${{ vars.AFP_APP_NAME }}
+      stack: btmt
+      tags: |
+        HTMT_API_TAG=${{ needs.determine-version.outputs.image_tag }}
+        DB_TAG=16.4
+        AFP_TAG=${{ needs.check-pinned-tags.outputs.afp_version }}
+      release_id: ${{ needs.determine-version.outputs.image_tag }}
+      release_sha: ${{ github.sha }}
     secrets: inherit
 
   redeploy-webhook-call:
     name: Redeploy webhook
-    needs: [build-and-push, set-version-api, set-version-db, set-version-afp, check-pinned-tags, determine-version]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/call-redeployment-webhook.yml@v1.0.4
+    needs: [build-and-push, set-image-tags, check-pinned-tags, determine-version]
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/call-redeployment-webhook.yml@v2.0.0
     with:
       env: ${{ needs.determine-version.outputs.env }}
       hook_id_base: ${{ needs.check-pinned-tags.outputs.redeployment_hook_id_base }}

.github/workflows/sync-env-to-server.yml

@@ -25,7 +25,6 @@ jobs:
       - name: Validate vars and build API env fragment
         env:
           SERVER_HOST: ${{ vars.SERVER_HOST }}
-          REDEPLOYMENT_ROOT: ${{ vars.REDEPLOYMENT_ROOT }}
           HTMT_API_APP_NAME: ${{ vars.HTMT_API_APP_NAME }}
           DB_APP_NAME_SUFFIX: ${{ vars.DB_APP_NAME_SUFFIX }}
           DEMO_EMAIL: ${{ vars.DEMO_EMAIL }}
@@ -70,7 +69,7 @@ jobs:
             'LIBRARIES_DIR=/app/media/libraries/' \
             'TMP_UPLOADED_FILES=/tmp/uploads' >> fragment.env
           required=(
-            SERVER_HOST REDEPLOYMENT_ROOT HTMT_API_APP_NAME DB_APP_NAME_SUFFIX
+            SERVER_HOST HTMT_API_APP_NAME DB_APP_NAME_SUFFIX
             DEMO_EMAIL SUPERADMIN_EMAIL SPOTIFY_CLIENT_ID SPOTIFY_SCOPES GOOGLE_CLIENT_ID
             SERVER_DEPLOY_USERNAME SERVER_DEPLOY_SSH_PRIVATE_KEY
             DB_APP_DB_NAME DB_APP_USERNAME DB_APP_USER_PASSWORD DB_SUPERUSER_PASSWORD
@@ -117,7 +116,6 @@ jobs:
       - name: Validate vars and build DB env fragment
         env:
           SERVER_HOST: ${{ vars.SERVER_HOST }}
-          REDEPLOYMENT_ROOT: ${{ vars.REDEPLOYMENT_ROOT }}
           HTMT_API_APP_NAME: ${{ vars.HTMT_API_APP_NAME }}
           DB_APP_NAME_SUFFIX: ${{ vars.DB_APP_NAME_SUFFIX }}
           DB_APP_DB_NAME: ${{ secrets.DB_APP_DB_NAME }}
@@ -139,7 +137,7 @@ jobs:
           printf 'POSTGRES_PASSWORD=%s\n' "${val}" >> fragment.env
           printf '%s\n' "POSTGRES_PORT=5432" >> fragment.env
           required=(
-            SERVER_HOST REDEPLOYMENT_ROOT HTMT_API_APP_NAME DB_APP_NAME_SUFFIX
+            SERVER_HOST HTMT_API_APP_NAME DB_APP_NAME_SUFFIX
             SERVER_DEPLOY_USERNAME SERVER_DEPLOY_SSH_PRIVATE_KEY
             DB_APP_DB_NAME DB_SUPERUSER_PASSWORD
           )
@@ -162,7 +160,7 @@ jobs:
   sync-api-staging:
     name: Sync API env (staging)
     needs: [build-api-fragment]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@main
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@v2.0.0
     with:
       sync_env: staging
       fragment_artifact: sync-env-fragment-api-staging/fragment.env
@@ -172,7 +170,7 @@ jobs:
   sync-api-prod:
     name: Sync API env (prod)
     needs: [build-api-fragment]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@main
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@v2.0.0
     with:
       sync_env: prod
       fragment_artifact: sync-env-fragment-api-prod/fragment.env
@@ -182,7 +180,7 @@ jobs:
   sync-db-staging:
     name: Sync Postgres env (staging)
     needs: [build-db-fragment]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@main
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@v2.0.0
     with:
       sync_env: staging
       fragment_artifact: sync-env-fragment-db-staging/fragment.env
@@ -192,7 +190,7 @@ jobs:
   sync-db-prod:
     name: Sync Postgres env (prod)
     needs: [build-db-fragment]
-    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@main
+    uses: BehindTheMusicTree/github-workflows/.github/workflows/sync-env-to-server.yml@v2.0.0
     with:
       sync_env: prod
       fragment_artifact: sync-env-fragment-db-prod/fragment.env

CHANGELOG.md

@@ -64,6 +64,12 @@ All contributors (including maintainers) should update `CHANGELOG.md` when creat
 
 ## [Unreleased]
 
+### CI
+
+- **github-workflows v2.0.0** ([`.github/workflows/publish.yml`](.github/workflows/publish.yml), [`.github/workflows/sync-env-to-server.yml`](.github/workflows/sync-env-to-server.yml)): Upgraded to **`BehindTheMusicTree/github-workflows@v2.0.0`**. **`publish.yml`**: replaced three separate **`set-image-tag-on-server`** calls (API, DB, AFP) with a single **`set-image-tags-on-server.yml@v2.0.0`** call using **`stack: btmt`** and a multiline **`tags`** block (**`HTMT_API_TAG`**, **`DB_TAG=16.4`**, **`AFP_TAG`**); **`check-pinned-tags`** now requires **`IMAGE_TAGS_POOL_DIR`** instead of **`REDEPLOYMENT_ROOT`**; **`redeploy-webhook-call`** pinned to **`@v2.0.0`**. **`sync-env-to-server.yml`**: removed **`REDEPLOYMENT_ROOT`** from fragment-building env and required-vars checks (no longer a workflow input); all four shared workflow calls pinned to **`@v2.0.0`**.
+
+- **Release script** ([`scripts/prepare_release_bump.py`](scripts/prepare_release_bump.py)): Now calls [`scripts/remove_prerelease_tags.sh`](scripts/remove_prerelease_tags.sh) after the version bump to automatically delete all local and remote dev/prerelease tags for the released version.
+
 ## [v2.2.6] - 2026-05-04
 
 ### CI

docs/workflows.md

@@ -72,13 +72,11 @@ Single publish workflow: collect static files, build Docker image, set image tag
 1. **determine-version** – from ref: tag with `-` → TEST; tag without `-` → PROD; `main` (e.g. manual dispatch) → staging + TEST
 2. **static** – calls `static-files.yml`, commits and pushes collected static files
 3. **build-and-push** – calls `build-and-push.yml` with commit hash and **environment** (TEST or PROD)
-4. **check-pinned-tags** – requires **`AFP_VERSION`** in Settings → Variables (no `latest`); DB image is **`postgres:16.4`** (fixed in [`docker-compose.yml`](../docker-compose.yml); publish sets server DB tag **`16.4`**)
-5. **set-version-api** / **set-version-db** / **set-version-afp** – shared workflows from `BehindTheMusicTree/github-workflows`
-6. **redeploy-webhook-call** – **`hook_id_base`** from **`check-pinned-tags`** (**`BTMT_REDEPLOYMENT_HOOK_ID_BASE`** validated under **Environment** **`STAGING`** / **`PROD`** there). Caller job is **`uses:`** only—**`environment`** is not allowed on that job shape in the Actions schema, so **`secrets: inherit`** supplies **repo/org** secrets (e.g. **`BTMT_REDEPLOYMENT_WEBHOOK_SECRET_*`**). Environment-only webhook secrets need a repo/org copy or support inside **`call-redeployment-webhook`**. Pinned **`@v1.0.4`**.
+4. **check-pinned-tags** – requires **`AFP_VERSION`** in Settings → Variables (no `latest`) and **`IMAGE_TAGS_POOL_DIR`** / **`BTMT_REDEPLOYMENT_HOOK_ID_BASE`** in the selected GitHub Environment (**STAGING**/**PROD**) or repo/org Variables; DB image is **`postgres:16.4`** (fixed in [`docker-compose.yml`](../docker-compose.yml); publish sets server DB tag **`16.4`**)
+5. **set-image-tags** – calls `BehindTheMusicTree/github-workflows/.github/workflows/set-image-tags-on-server.yml@v2.0.0` once with `stack: btmt` and tags for API, DB, and AFP (`HTMT_API_TAG`, `DB_TAG=16.4`, `AFP_TAG`)
+6. **redeploy-webhook-call** – calls `BehindTheMusicTree/github-workflows/.github/workflows/call-redeployment-webhook.yml@v2.0.0` with **`hook_id_base`** from **`check-pinned-tags`** (**`BTMT_REDEPLOYMENT_HOOK_ID_BASE`**). Caller job is **`uses:`** only—**`environment`** is not allowed on that job shape in the Actions schema, so **`secrets: inherit`** supplies **repo/org** secrets (e.g. **`BTMT_REDEPLOYMENT_WEBHOOK_SECRET_*`**). Environment-only webhook secrets need a repo/org copy or support inside **`call-redeployment-webhook`**.
 
-**Environment:** **TEST** for prerelease/dev tags and for manual runs from `main` (staging). **PROD** for release tags (production). DB and AFP image tags must be pinned in repo variables.
-
-**Variables (org-level pool, same as Sync env):** `REDEPLOYMENT_ROOT` (e.g. `/var/webhook/redeployment`). Set once at the **organization** (Settings → Variables) so the infrastructure repo and all app repos that call set-image-tag-on-server use the same path. If unset, the tag file path is wrong and the step fails.
+**Environment:** **TEST** for prerelease/dev tags and for manual runs from `main` (staging). **PROD** for release tags (production). DB and AFP image tags must be pinned in repo variables, and **`IMAGE_TAGS_POOL_DIR`** must be set for **STAGING** and **PROD** (for `set-image-tags-on-server`).
 
 **Versioning:** Manual dispatch from `main` uses `VERSION` file and image tag `staging`. Tag push uses tag version; `workflow_call` without a tag uses latest git tag.
 
@@ -108,7 +106,7 @@ Manually sync app env vars and secrets for **both STAGING and PROD** in one run.
 
 **Secrets (this repo, per environment):** `DB_APP_DB_NAME`, `DB_APP_USERNAME`, `DB_APP_USER_PASSWORD`, `DB_SUPERUSER_PASSWORD`, `DEMO_PASSWORD`, `DEMO_USERNAME`, `DJANGO_SECRET_KEY`, `GOOGLE_CLIENT_SECRET`, `SPOTIFY_CLIENT_SECRET`, `SUPERADMIN_PASSWORD`, `SUPERADMIN_USERNAME`, `TMTA_USERNAME`, plus deploy secrets `SERVER_DEPLOY_USERNAME`, `SERVER_DEPLOY_SSH_PRIVATE_KEY`.
 
-**Variables (this repo or org, per GitHub Environment):** `SERVER_HOST`, `REDEPLOYMENT_ROOT`, `SYNC_ENV_REMOTE_FILENAME_PREFIX_BASE`, `HTMT_API_APP_NAME`, **`DB_APP_NAME_SUFFIX`** (required, non-empty; must match **BehindTheMusicTree/infrastructure**, e.g. `_db`), `DEMO_EMAIL`, `SUPERADMIN_EMAIL`, `SPOTIFY_CLIENT_ID_STAGING`, `SPOTIFY_CLIENT_ID_PROD`, `GOOGLE_CLIENT_ID_STAGING`, `GOOGLE_CLIENT_ID_PROD`, **`SPOTIFY_SCOPES`** (see `env/dev/.env.dev.example`). The compose-required API booleans above are **not** Variables—they are written as **`true`** in the workflow. Locally and in CI you still set **`FILE_UPLOAD_ENABLED`** in `.env` as needed (see `api/settings.py` / `TMP_UPLOADED_FILES`).
+**Variables (this repo or org, per GitHub Environment):** `SERVER_HOST`, `SYNC_ENV_REMOTE_FILENAME_PREFIX_BASE`, `HTMT_API_APP_NAME`, **`DB_APP_NAME_SUFFIX`** (required, non-empty; must match **BehindTheMusicTree/infrastructure**, e.g. `_db`), `DEMO_EMAIL`, `SUPERADMIN_EMAIL`, `SPOTIFY_CLIENT_ID_STAGING`, `SPOTIFY_CLIENT_ID_PROD`, `GOOGLE_CLIENT_ID_STAGING`, `GOOGLE_CLIENT_ID_PROD`, **`SPOTIFY_SCOPES`** (see `env/dev/.env.dev.example`). The compose-required API booleans above are **not** Variables—they are written as **`true`** in the workflow. Locally and in CI you still set **`FILE_UPLOAD_ENABLED`** in `.env` as needed (see `api/settings.py` / `TMP_UPLOADED_FILES`).
 
 ## Static Files
 

scripts/prepare_release_bump.py

@@ -136,6 +136,13 @@ def _run_fix_changelog() -> None:
         sys.exit(proc.returncode)
 
 
+def _run_remove_prerelease_tags() -> None:
+    script = REPO_ROOT / "scripts" / "remove_prerelease_tags.sh"
+    proc = subprocess.run(["bash", str(script)], cwd=REPO_ROOT, check=False)
+    if proc.returncode != 0:
+        sys.exit(proc.returncode)
+
+
 def _warn_branch() -> None:
     proc = subprocess.run(
         ["git", "branch", "--show-current"],
@@ -183,6 +190,8 @@ def main() -> None:
     if changed:
         CHANGELOG_PATH.write_text(updated)
 
+    _run_remove_prerelease_tags()
+
     print(
         "prepare_release_bump: done. Review git diff and CHANGELOG.md, then commit "
         "(e.g. chore: prepare release vX.Y.Z)."