Skip to content

fix(ci): chain tag-staging to deploy-staging via workflow_call#85

Merged
FSM1 merged 2 commits into
mainfrom
fix/staging-workflow-chain
Feb 10, 2026
Merged

fix(ci): chain tag-staging to deploy-staging via workflow_call#85
FSM1 merged 2 commits into
mainfrom
fix/staging-workflow-chain

Conversation

@FSM1

@FSM1 FSM1 commented Feb 10, 2026

Copy link
Copy Markdown
Owner

Summary

  • Fixes staging deploy not triggering after tag creation (GITHUB_TOKEN pushes don't trigger other workflows)
  • tag-staging.yml now calls deploy-staging.yml directly via workflow_call with secrets: inherit
  • deploy-staging.yml accepts both push: tags and workflow_call triggers
  • All github.ref_name references replaced with inputs.staging_tag || github.ref_name for dual-trigger compatibility

Environment setup

  • staging-approval: required reviewers, no secrets (one approval gate)
  • staging: secrets/vars, no reviewers (silent access for deploy jobs)

Test plan

  • Trigger "Tag Staging Release" with v0.3.0 — verify single approval prompt
  • After approval: tag created, deploy runs without additional prompts
  • Verify all 4 jobs complete (build-api, build-tee, build-web, deploy-vps)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Improved staging deployment pipeline: explicit staging tag is generated and propagated between tagging and deployment steps.
    • Deployment now runs as a dedicated job that receives the staging tag and inherited secrets.
    • Consistent tag resolution is applied across build and push steps to ensure the same version is used throughout staging deployments.

GITHUB_TOKEN pushes don't trigger other workflows, so tag-staging
now calls deploy-staging directly via workflow_call instead of relying
on the tag push event. Single approval via staging-approval environment.

- deploy-staging.yml: add workflow_call trigger with staging_tag input
- tag-staging.yml: call deploy-staging after creating tag, pass secrets
- All checkout steps use explicit ref for workflow_call compatibility

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 10, 2026 19:02
@coderabbitai

coderabbitai Bot commented Feb 10, 2026

Copy link
Copy Markdown

Walkthrough

Chains tag creation to a reusable deploy workflow: tag-staging now outputs staging_tag, and a new deploy job calls the deploy-staging workflow with that tag. deploy-staging accepts staging_tag input and uses it as DEPLOY_TAG for checkouts, image tags, and deployments.

Changes

Cohort / File(s) Summary
Deploy-staging workflow
​.github/workflows/deploy-staging.yml
Adds staging_tag workflow input; resolves DEPLOY_TAG from input or default ref; uses env.DEPLOY_TAG for checkout refs and image tags; updates TAG usage in staging and VPS deployment steps.
Tag-staging orchestration
​.github/workflows/tag-staging.yml
Exports staging_tag from the tag-staging job; removes inline post-tag echo; adds a top-level deploy job that uses the deploy-staging workflow with staging_tag input and secrets: inherit.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant TagJob as tag-staging job
    participant DeployJob as deploy job
    participant DeployWF as deploy-staging workflow
    participant Registry as Container Registry
    participant Infra as Infrastructure

    GH->>TagJob: run tag-staging
    TagJob->>TagJob: create/push staging tag
    TagJob-->>GH: outputs staging_tag
    GH->>DeployJob: start deploy (needs: tag-staging)
    DeployJob->>DeployWF: workflow_call with staging_tag
    DeployWF->>GH: checkout at DEPLOY_TAG (env.DEPLOY_TAG)
    DeployWF->>Registry: build & push images tagged with DEPLOY_TAG
    DeployWF->>Infra: deploy services using DEPLOY_TAG
    DeployWF-->>GH: deployment complete
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • Copilot
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: chaining tag-staging to deploy-staging via workflow_call mechanism.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/staging-workflow-chain

No actionable comments were generated in the recent review. 🎉


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the staging release automation so that creating a staging tag via workflow_dispatch reliably triggers the staging deployment by invoking the deploy workflow as a reusable workflow (workflow_call), avoiding the “workflow doesn’t trigger from GITHUB_TOKEN push” limitation.

Changes:

  • tag-staging.yml now exposes the computed staging_tag as a job output and invokes deploy-staging.yml via uses: ... with secrets: inherit.
  • deploy-staging.yml now supports both push: tags and workflow_call, and resolves the deploy tag via inputs.staging_tag || github.ref_name.
  • All deploy-time checkouts/tags in deploy-staging.yml are based on the resolved tag to work correctly for both triggers.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/tag-staging.yml Calls the staging deploy workflow directly after tagging, passing the computed staging tag.
.github/workflows/deploy-staging.yml Adds workflow_call support and unifies tag resolution for dual-trigger compatibility.

Comment thread .github/workflows/tag-staging.yml
Reusable workflows can't elevate GITHUB_TOKEN permissions beyond what
the caller grants. Add contents:read + packages:write so build jobs
can push images to GHCR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@FSM1 FSM1 merged commit 1c41f6d into main Feb 10, 2026
8 checks passed
@FSM1 FSM1 deleted the fix/staging-workflow-chain branch February 10, 2026 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants