ci: add environments in github

filo87 · filo87 · commit d12d84789ed3 · 2026-03-19T11:54:11.000+01:00
diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml
@@ -17,8 +17,14 @@ permissions:
   contents: write
 
 jobs:
-  promote-prod-from-staging:
+  promote-api-v3-main:
     runs-on: ubuntu-latest
+    environment:
+      name: api-v3-main
+      url: https://api-v3-main.cfg.embrio.tech
+    permissions:
+      contents: write
+      deployments: write
     steps:
       - name: Create GitHub App token
         id: app-token
@@ -33,40 +39,90 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           ref: ${{ github.ref }}
 
-      - name: Promote staging image tags to production yamls
+      - name: Promote mainnet (main-s → main)
         run: |
           set -euo pipefail
-          promote_pair() {
-            local staging="$1"
-            local prod="$2"
-            local idx qry
-            idx="$(yq '.indexer.image.tag' "$staging")"
-            qry="$(yq '.query.image.tag' "$staging")"
-            export IDX_TAG="$idx" QRY_TAG="$qry"
-            yq -i '.indexer.image.tag = strenv(IDX_TAG)' "$prod"
-            yq -i '.query.image.tag = strenv(QRY_TAG)' "$prod"
-            # Prod now runs this build; avoid duplicate indexers on staging for the same tag.
-            local prod_idx
-            prod_idx="$(yq '.indexer.image.tag' "$prod")"
-            if [ "$idx" = "$prod_idx" ]; then
-              yq -i '.indexer.enabled = false' "$staging"
-            fi
-          }
-          promote_pair environments/main-s.yaml environments/main.yaml
-          promote_pair environments/test-s.yaml environments/test.yaml
+          staging="environments/main-s.yaml"
+          prod="environments/main.yaml"
+          idx="$(yq '.indexer.image.tag' "$staging")"
+          qry="$(yq '.query.image.tag' "$staging")"
+          export IDX_TAG="$idx" QRY_TAG="$qry"
+          yq -i '.indexer.image.tag = strenv(IDX_TAG)' "$prod"
+          yq -i '.query.image.tag = strenv(QRY_TAG)' "$prod"
+          prod_idx="$(yq '.indexer.image.tag' "$prod")"
+          if [ "$idx" = "$prod_idx" ]; then
+            yq -i '.indexer.enabled = false' "$staging"
+          fi
+
+      - name: Commit and push (mainnet)
+        env:
+          GIT_AUTHOR_NAME: api-gitops[bot]
+          GIT_AUTHOR_EMAIL: ${{ secrets.DEPLOYMENT_APP_ID }}+api-gitops[bot]@users.noreply.github.com
+          GIT_COMMITTER_NAME: api-gitops[bot]
+          GIT_COMMITTER_EMAIL: ${{ secrets.DEPLOYMENT_APP_ID }}+api-gitops[bot]@users.noreply.github.com
+        run: |
+          set -euo pipefail
+          git add environments/main.yaml environments/main-s.yaml
+          if git diff --staged --quiet; then
+            echo "No mainnet env changes to commit."
+            exit 0
+          fi
+          git commit -m "chore(cd): promote api-v3-main from staging yamls"
+          git push origin "HEAD:${{ github.ref_name }}"
+
+  promote-api-v3-test:
+    needs: promote-api-v3-main
+    runs-on: ubuntu-latest
+    environment:
+      name: api-v3-test
+      url: https://api-v3-test.cfg.embrio.tech
+    permissions:
+      contents: write
+      deployments: write
+    steps:
+      - name: Create GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
+        with:
+          app-id: ${{ secrets.DEPLOYMENT_APP_ID }}
+          private-key: ${{ secrets.DEPLOYMENT_APP_PRIVATE_KEY }}
+
+      - name: Checkout release-please branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          ref: ${{ github.ref }}
+
+      - name: Pull latest (includes mainnet promotion commit)
+        run: git pull origin "${{ github.ref_name }}"
+
+      - name: Promote testnet (test-s → test)
+        run: |
+          set -euo pipefail
+          staging="environments/test-s.yaml"
+          prod="environments/test.yaml"
+          idx="$(yq '.indexer.image.tag' "$staging")"
+          qry="$(yq '.query.image.tag' "$staging")"
+          export IDX_TAG="$idx" QRY_TAG="$qry"
+          yq -i '.indexer.image.tag = strenv(IDX_TAG)' "$prod"
+          yq -i '.query.image.tag = strenv(QRY_TAG)' "$prod"
+          prod_idx="$(yq '.indexer.image.tag' "$prod")"
+          if [ "$idx" = "$prod_idx" ]; then
+            yq -i '.indexer.enabled = false' "$staging"
+          fi
 
-      - name: Commit and push to release-please branch
+      - name: Commit and push (testnet)
         env:
           GIT_AUTHOR_NAME: api-gitops[bot]
           GIT_AUTHOR_EMAIL: ${{ secrets.DEPLOYMENT_APP_ID }}+api-gitops[bot]@users.noreply.github.com
           GIT_COMMITTER_NAME: api-gitops[bot]
           GIT_COMMITTER_EMAIL: ${{ secrets.DEPLOYMENT_APP_ID }}+api-gitops[bot]@users.noreply.github.com
         run: |
           set -euo pipefail
-          git add environments/main.yaml environments/test.yaml environments/main-s.yaml environments/test-s.yaml
+          git add environments/test.yaml environments/test-s.yaml
           if git diff --staged --quiet; then
-            echo "No environment changes to commit (already promoted)."
+            echo "No testnet env changes to commit."
             exit 0
           fi
-          git commit -m "chore(cd): promote prod image tags from staging yamls"
+          git commit -m "chore(cd): promote api-v3-test from staging yamls"
           git push origin "HEAD:${{ github.ref_name }}"
diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml
@@ -12,11 +12,10 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
-  deploy-staging:
+  patch-staging-yaml:
     if: >-
       ${{
         github.event.workflow_run.conclusion == 'success'
@@ -25,7 +24,67 @@ jobs:
           || github.event.workflow_run.event == 'release'
         )
       }}
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - name: api-v3-main-s
+            staging: environments/main-s.yaml
+            prod: environments/main.yaml
+            url: https://api-v3-main-s.cfg.embrio.tech
+          - name: api-v3-test-s
+            staging: environments/test-s.yaml
+            prod: environments/test.yaml
+            url: https://api-v3-test-s.cfg.embrio.tech
     runs-on: ubuntu-latest
+    environment:
+      name: ${{ matrix.name }}
+      url: ${{ matrix.url }}
+    permissions:
+      contents: read
+      deployments: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: main
+
+      - name: Set image tag (short SHA)
+        id: vars
+        env:
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: echo "image_tag=sha-${HEAD_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - name: Update staging env and indexer guard
+        env:
+          IMAGE_TAG: ${{ steps.vars.outputs.image_tag }}
+          STAGING: ${{ matrix.staging }}
+          PROD: ${{ matrix.prod }}
+        run: |
+          set -euo pipefail
+          yq -i ".indexer.image.tag = strenv(IMAGE_TAG)" "$STAGING"
+          yq -i ".query.image.tag = strenv(IMAGE_TAG)" "$STAGING"
+          prod_tag="$(yq '.indexer.image.tag' "$PROD")"
+          if [ "$IMAGE_TAG" = "$prod_tag" ]; then
+            echo "Tag clash with prod ($PROD): disabling indexer on $STAGING"
+            yq -i '.indexer.enabled = false' "$STAGING"
+          else
+            yq -i '.indexer.enabled = true' "$STAGING"
+          fi
+
+      - name: Upload patched values file
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.name }}
+          path: ${{ matrix.staging }}
+
+  open-staging-pr:
+    needs: patch-staging-yaml
+    if: success()
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Create GitHub App token
         id: app-token
@@ -40,34 +99,23 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           ref: main
 
-      - name: Set image tag (short SHA)
+      - name: Download api-v3-main-s values
+        uses: actions/download-artifact@v4
+        with:
+          name: api-v3-main-s
+          path: .
+      - name: Download api-v3-test-s values
+        uses: actions/download-artifact@v4
+        with:
+          name: api-v3-test-s
+          path: .
+
+      - name: Set image tag (for PR message)
         id: vars
         env:
           HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
         run: echo "image_tag=sha-${HEAD_SHA::7}" >> "$GITHUB_OUTPUT"
 
-      - name: Update staging envs and indexer guard
-        env:
-          IMAGE_TAG: ${{ steps.vars.outputs.image_tag }}
-        run: |
-          set -euo pipefail
-          sync_staging() {
-            local staging="$1"
-            local prod="$2"
-            yq -i ".indexer.image.tag = strenv(IMAGE_TAG)" "$staging"
-            yq -i ".query.image.tag = strenv(IMAGE_TAG)" "$staging"
-            local prod_tag
-            prod_tag="$(yq '.indexer.image.tag' "$prod")"
-            if [ "$IMAGE_TAG" = "$prod_tag" ]; then
-              echo "Tag clash with prod ($prod): disabling indexer on $staging"
-              yq -i '.indexer.enabled = false' "$staging"
-            else
-              yq -i '.indexer.enabled = true' "$staging"
-            fi
-          }
-          sync_staging environments/main-s.yaml environments/main.yaml
-          sync_staging environments/test-s.yaml environments/test.yaml
-
       - name: Open staging deployment PR
         id: cpr
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
