ci: improved deployment

Author: filo87

.github/workflows/deploy-prod.yaml

@@ -3,6 +3,9 @@ name: Deploy Production Environments
 # Amends the open release-please PR: copy `sha-*` image tags from staging (`*-s`) into
 # production yamls on whatever is currently on that branch, then disable staging indexers
 # when prod matches (always true after a verbatim promote).
+#
+# GitHub deployment environments are recorded in record-deployment-environments.yaml
+# when this lands on main — not when committing to the release-please branch.
 
 on:
   push:
@@ -19,12 +22,6 @@ permissions:
 jobs:
   promote-api-v3-main:
     runs-on: ubuntu-latest
-    environment:
-      name: api-v3-main
-      url: https://api-v3-main.cfg.embrio.tech
-    permissions:
-      contents: write
-      deployments: write
     steps:
       - name: Create GitHub App token
         id: app-token
@@ -73,12 +70,6 @@ jobs:
   promote-api-v3-test:
     needs: promote-api-v3-main
     runs-on: ubuntu-latest
-    environment:
-      name: api-v3-test
-      url: https://api-v3-test.cfg.embrio.tech
-    permissions:
-      contents: write
-      deployments: write
     steps:
       - name: Create GitHub App token
         id: app-token

.github/workflows/deploy-staging.yaml

@@ -13,9 +13,10 @@ concurrency:
 
 permissions:
   contents: read
+  actions: read
 
 jobs:
-  patch-staging-yaml:
+  verify-docker-build-ran:
     if: >-
       ${{
         github.event.workflow_run.conclusion == 'success'
@@ -24,25 +25,45 @@ jobs:
           || github.event.workflow_run.event == 'release'
         )
       }}
+    runs-on: ubuntu-latest
+    outputs:
+      image_built: ${{ steps.check.outputs.image_built }}
+    steps:
+      - name: Check build-and-push job succeeded
+        id: check
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          RUN_ID="${{ github.event.workflow_run.id }}"
+          REPO="${{ github.repository }}"
+          # Only update staging tags when a new image was built — skip retag-only / changes-only runs.
+          if gh api "repos/${REPO}/actions/runs/${RUN_ID}/jobs?per_page=100" \
+            --jq '.jobs[] | select(.name == "build-and-push" and .conclusion == "success") | .name' \
+            | head -1 | grep -q .; then
+            echo "image_built=true" >> "$GITHUB_OUTPUT"
+            echo "Docker build-and-push succeeded; will refresh staging image tags."
+          else
+            echo "image_built=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Skipping staging tag update: no successful build-and-push job in this workflow run (no new image built)."
+          fi
+
+  patch-staging-yaml:
+    needs: verify-docker-build-ran
+    if: needs.verify-docker-build-ran.outputs.image_built == 'true'
     strategy:
       fail-fast: true
       matrix:
         include:
           - name: api-v3-main-s
             staging: environments/main-s.yaml
             prod: environments/main.yaml
-            url: https://api-v3-main-s.cfg.embrio.tech
           - name: api-v3-test-s
             staging: environments/test-s.yaml
             prod: environments/test.yaml
-            url: https://api-v3-test-s.cfg.embrio.tech
     runs-on: ubuntu-latest
-    environment:
-      name: ${{ matrix.name }}
-      url: ${{ matrix.url }}
     permissions:
       contents: read
-      deployments: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -79,8 +100,10 @@ jobs:
           path: ${{ matrix.staging }}
 
   open-staging-pr:
-    needs: patch-staging-yaml
-    if: success()
+    needs: [verify-docker-build-ran, patch-staging-yaml]
+    if: >-
+      needs.verify-docker-build-ran.outputs.image_built == 'true'
+      && needs.patch-staging-yaml.result == 'success'
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/record-deployment-environments.yaml

@@ -0,0 +1,84 @@
+# Records GitHub Deployments only after values are on main (post-merge).
+# For each changed `environments/<name>.yaml`, registers environment `api-v3-<name>` with URL
+# `https://api-v3-<name>.cfg.embrio.tech` (no per-env job definitions to maintain).
+
+name: Record deployment environments
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: record-deployment-envs-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  detect:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.build.outputs.matrix }}
+      has_changes: ${{ steps.build.outputs.has_changes }}
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Build matrix from changed environment files
+        id: build
+        env:
+          BEFORE: ${{ github.event.before }}
+          SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then
+            mapfile -t changed < <(git diff-tree --no-commit-id --name-only -r "$SHA" | grep -E '^environments/[^/]+\.yaml$' || true)
+          else
+            mapfile -t changed < <(git diff --name-only "$BEFORE" "$SHA" | grep -E '^environments/[^/]+\.yaml$' || true)
+          fi
+          if [ "${#changed[@]}" -eq 0 ]; then
+            echo 'matrix=[]' >> "$GITHUB_OUTPUT"
+            echo 'has_changes=false' >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          json=$(jq -c -n --args '
+            [
+              $ARGS.positional[] |
+              select(test("^environments/[^/]+\\.yaml$")) |
+              . as $path |
+              ($path | split("/") | .[-1] | sub("\\.yaml$"; "")) as $stem |
+              {
+                file: $path,
+                stem: $stem,
+                env: ("api-v3-" + $stem),
+                url: ("https://api-v3-" + $stem + ".cfg.embrio.tech")
+              }
+            ]
+          ' -- "${changed[@]}")
+          {
+            echo 'matrix<<MATRIX_JSON_EOF'
+            echo "$json"
+            echo 'MATRIX_JSON_EOF'
+          } >> "$GITHUB_OUTPUT"
+          echo 'has_changes=true' >> "$GITHUB_OUTPUT"
+
+  record:
+    needs: detect
+    if: needs.detect.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.detect.outputs.matrix) }}
+    environment:
+      name: ${{ matrix.env }}
+      url: ${{ matrix.url }}
+    permissions:
+      contents: read
+      deployments: write
+    steps:
+      - name: Record deployment
+        run: echo "${{ matrix.file }} updated on main @ ${{ github.sha }}"