ci: point deployment pipelines at default.yaml#47
Conversation
Switch both staging and production deployment workflows to update default.yaml instead of fra1.yaml in the declarative assets repo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the github.sha fallback so production always deploys the release tag. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR re-targets both the staging and production deployment workflows from
Confidence Score: 4/5The file rename and retry logic are safe, but the shared concurrency group between staging and production means a staging deploy actively blocks a production release deploy. The core rename from fra1.yaml to default.yaml is straightforward and the retry-with-rebase loop is a solid improvement. The shared declarative-deploy concurrency group across both workflows is the key concern: a staging deploy running on every push to main can queue and hold a production deploy, which is an operational risk in hotfix scenarios. .github/workflows/production.yml — the shared deploy concurrency group and the empty-TAG risk on manual triggers both live here. Important Files Changed
Reviews (3): Last reviewed commit: "ci: serialize deploy jobs with a shared ..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| REGISTRY_DOCKERHUB: docker.io | ||
| IMAGE_NAME: appwrite/mcp | ||
| TAG: ${{ github.event.release.tag_name || github.sha }} | ||
| TAG: ${{ github.event.release.tag_name }} |
There was a problem hiding this comment.
workflow_dispatch triggers
The || github.sha fallback was removed alongside the file rename, but this workflow still supports manual workflow_dispatch runs. When triggered that way, github.event.release.tag_name is empty, so TAG becomes an empty string. This causes the Docker build step to push an image tagged "", and the yq step to write an empty string into default.yaml's image.tag field — silently corrupting the declarative config in the assets repo. The original code handled this correctly; the fallback should be restored.
| TAG: ${{ github.event.release.tag_name }} | |
| TAG: ${{ github.event.release.tag_name || github.sha }} |
The assets-applications repo is shared across apps, so a concurrent push can land between checkout and push, rejecting ours with a non-fast-forward error and silently skipping the manifest update. Retry the push up to 5 times, rebasing onto the remote each time. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a job-level concurrency group (declarative-deploy) shared across the staging and production deploy jobs so they can't push to the GitOps repo at the same time. Builds still run in parallel. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2 participants
Summary
Switches both the staging and production deployment workflows to update
default.yamlinstead offra1.yamlin theappwrite-labs/assets-applicationsdeclarative repo. This moves production onto the same declarative setup staging already used, just region-agnostic.Changes
.github/workflows/staging.yml—staging/mcp/fra1.yaml→staging/mcp/default.yaml(yq update + git add).github/workflows/production.yml—production/mcp/fra1.yaml→production/mcp/default.yaml(yq update + git add)Note
The
yq -istep edits the file in place, sodefault.yamlmust already exist understaging/mcp/andproduction/mcp/in the assets repo, otherwise the deploy step will fail. Worth confirming before merge.🤖 Generated with Claude Code