From 0db87f160b9b873452a6ceff479dd97e831d8c75 Mon Sep 17 00:00:00 2001 From: Michael Yankelev Date: Tue, 10 Feb 2026 20:01:54 +0100 Subject: [PATCH 1/2] =?UTF-8?q?fix(ci):=20chain=20tag-staging=20=E2=86=92?= =?UTF-8?q?=20deploy-staging=20via=20workflow=5Fcall?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GITHUB_TOKEN pushes don't trigger other workflows, so tag-staging now calls deploy-staging directly via workflow_call instead of relying on the tag push event. Single approval via staging-approval environment. - deploy-staging.yml: add workflow_call trigger with staging_tag input - tag-staging.yml: call deploy-staging after creating tag, pass secrets - All checkout steps use explicit ref for workflow_call compatibility Co-Authored-By: Claude Opus 4.6 --- .github/workflows/deploy-staging.yml | 23 +++++++++++++++++++---- .github/workflows/tag-staging.yml | 11 ++++++++++- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 33ee4cda56..e615aae1f2 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -4,9 +4,16 @@ on: push: tags: - 'v*-staging*' + workflow_call: + inputs: + staging_tag: + required: true + type: string env: REGISTRY: ghcr.io + # Resolve tag: workflow_call passes it as input, push trigger uses ref_name + DEPLOY_TAG: ${{ inputs.staging_tag || github.ref_name }} jobs: build-api: @@ -17,6 +24,8 @@ jobs: packages: write steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.staging_tag || github.ref_name }} - name: Set lowercase image name run: echo "API_IMAGE=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/cipherbox-api" >> "$GITHUB_ENV" @@ -33,7 +42,7 @@ jobs: file: apps/api/Dockerfile push: true tags: | - ${{ env.API_IMAGE }}:${{ github.ref_name }} + ${{ env.API_IMAGE }}:${{ env.DEPLOY_TAG }} ${{ env.API_IMAGE }}:latest build-tee: @@ -44,6 +53,8 @@ jobs: packages: write steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.staging_tag || github.ref_name }} - name: Set lowercase image name run: echo "TEE_IMAGE=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/cipherbox-tee-worker" >> "$GITHUB_ENV" @@ -60,7 +71,7 @@ jobs: file: tee-worker/Dockerfile push: true tags: | - ${{ env.TEE_IMAGE }}:${{ github.ref_name }} + ${{ env.TEE_IMAGE }}:${{ env.DEPLOY_TAG }} ${{ env.TEE_IMAGE }}:latest build-web: @@ -69,6 +80,8 @@ jobs: environment: staging steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.staging_tag || github.ref_name }} - uses: pnpm/action-setup@v4 with: @@ -109,6 +122,8 @@ jobs: packages: read steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.staging_tag || github.ref_name }} - name: Download web dist artifact uses: actions/download-artifact@v4 @@ -145,7 +160,7 @@ jobs: # Append image tag and lowercase owner (can't use shell vars in quoted heredoc) OWNER="${{ github.repository_owner }}" echo "GITHUB_REPOSITORY_OWNER=${OWNER,,}" >> .env.staging - echo "TAG=${{ github.ref_name }}" >> .env.staging + echo "TAG=${{ env.DEPLOY_TAG }}" >> .env.staging - name: Copy files to VPS uses: appleboy/scp-action@v0.1.7 @@ -203,7 +218,7 @@ jobs: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Set image tag from git tag (GHCR requires lowercase owner) - export TAG="${{ github.ref_name }}" + export TAG="${{ env.DEPLOY_TAG }}" OWNER="${{ github.repository_owner }}" export GITHUB_REPOSITORY_OWNER="${OWNER,,}" diff --git a/.github/workflows/tag-staging.yml b/.github/workflows/tag-staging.yml index baee0b746d..43ca5d0fcd 100644 --- a/.github/workflows/tag-staging.yml +++ b/.github/workflows/tag-staging.yml @@ -15,6 +15,8 @@ jobs: environment: staging-approval permissions: contents: write + outputs: + staging_tag: ${{ steps.rc.outputs.staging_tag }} steps: - uses: actions/checkout@v4 with: @@ -53,4 +55,11 @@ jobs: run: | git tag "${STAGING_TAG}" "${RELEASE_TAG}" git push origin "${STAGING_TAG}" - echo "::notice::Created tag ${STAGING_TAG} — deploy-staging workflow will trigger automatically" + + deploy: + name: Deploy Staging + needs: tag-staging + uses: ./.github/workflows/deploy-staging.yml + with: + staging_tag: ${{ needs.tag-staging.outputs.staging_tag }} + secrets: inherit From 30a814fd06852d5d2e282bbe5d08b0901787a8b2 Mon Sep 17 00:00:00 2001 From: Michael Yankelev Date: Tue, 10 Feb 2026 20:29:41 +0100 Subject: [PATCH 2/2] fix(ci): add permissions to deploy job for GHCR push Reusable workflows can't elevate GITHUB_TOKEN permissions beyond what the caller grants. Add contents:read + packages:write so build jobs can push images to GHCR. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/tag-staging.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/tag-staging.yml b/.github/workflows/tag-staging.yml index 43ca5d0fcd..cee79bc5fe 100644 --- a/.github/workflows/tag-staging.yml +++ b/.github/workflows/tag-staging.yml @@ -59,6 +59,9 @@ jobs: deploy: name: Deploy Staging needs: tag-staging + permissions: + contents: read + packages: write uses: ./.github/workflows/deploy-staging.yml with: staging_tag: ${{ needs.tag-staging.outputs.staging_tag }}