fix(ci): chain tag-staging to deploy-staging via workflow_call#85
Conversation
GITHUB_TOKEN pushes don't trigger other workflows, so tag-staging now calls deploy-staging directly via workflow_call instead of relying on the tag push event. Single approval via staging-approval environment. - deploy-staging.yml: add workflow_call trigger with staging_tag input - tag-staging.yml: call deploy-staging after creating tag, pass secrets - All checkout steps use explicit ref for workflow_call compatibility Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughChains tag creation to a reusable deploy workflow: Changes
Sequence DiagramsequenceDiagram
participant GH as GitHub Actions
participant TagJob as tag-staging job
participant DeployJob as deploy job
participant DeployWF as deploy-staging workflow
participant Registry as Container Registry
participant Infra as Infrastructure
GH->>TagJob: run tag-staging
TagJob->>TagJob: create/push staging tag
TagJob-->>GH: outputs staging_tag
GH->>DeployJob: start deploy (needs: tag-staging)
DeployJob->>DeployWF: workflow_call with staging_tag
DeployWF->>GH: checkout at DEPLOY_TAG (env.DEPLOY_TAG)
DeployWF->>Registry: build & push images tagged with DEPLOY_TAG
DeployWF->>Infra: deploy services using DEPLOY_TAG
DeployWF-->>GH: deployment complete
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
No actionable comments were generated in the recent review. 🎉 Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Updates the staging release automation so that creating a staging tag via workflow_dispatch reliably triggers the staging deployment by invoking the deploy workflow as a reusable workflow (workflow_call), avoiding the “workflow doesn’t trigger from GITHUB_TOKEN push” limitation.
Changes:
tag-staging.ymlnow exposes the computedstaging_tagas a job output and invokesdeploy-staging.ymlviauses: ...withsecrets: inherit.deploy-staging.ymlnow supports bothpush: tagsandworkflow_call, and resolves the deploy tag viainputs.staging_tag || github.ref_name.- All deploy-time checkouts/tags in
deploy-staging.ymlare based on the resolved tag to work correctly for both triggers.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/tag-staging.yml | Calls the staging deploy workflow directly after tagging, passing the computed staging tag. |
| .github/workflows/deploy-staging.yml | Adds workflow_call support and unifies tag resolution for dual-trigger compatibility. |
Reusable workflows can't elevate GITHUB_TOKEN permissions beyond what the caller grants. Add contents:read + packages:write so build jobs can push images to GHCR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
tag-staging.ymlnow callsdeploy-staging.ymldirectly viaworkflow_callwithsecrets: inheritdeploy-staging.ymlaccepts bothpush: tagsandworkflow_calltriggersgithub.ref_namereferences replaced withinputs.staging_tag || github.ref_namefor dual-trigger compatibilityEnvironment setup
staging-approval: required reviewers, no secrets (one approval gate)staging: secrets/vars, no reviewers (silent access for deploy jobs)Test plan
v0.3.0— verify single approval prompt🤖 Generated with Claude Code
Summary by CodeRabbit