ci: set up production promotion workflow

ilyvion · ilyvion · commit 3040dddbde7c · 2025-04-19T16:41:24.000+02:00
[skip ci]
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
@@ -0,0 +1,67 @@
+name: Promote Staging to Production
+
+on:
+  workflow_dispatch:
+
+jobs:
+  promote:
+    runs-on: ubuntu-latest
+    env:
+        GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Find latest successful staging deployment
+        id: staging
+        run: |
+          DEPLOYMENT_JSON=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+                repos/${{ github.repository }}/deployments \
+            --jq '.[] | select(.environment == "staging")' | head -n1)
+
+          echo "ref=$(echo "$DEPLOYMENT_JSON" | jq -r '.ref')" >> "$GITHUB_OUTPUT"
+          echo "sha=$(echo "$DEPLOYMENT_JSON" | jq -r '.sha')" >> "$GITHUB_OUTPUT"
+
+      - name: Create production deployment
+        id: prod_deploy
+        run: |
+          DEPLOY_ID=$(gh api \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+                repos/${{ github.repository }}/deployments \
+            --raw-field ref="${{ steps.staging.outputs.ref }}" \
+            --raw-field sha="${{ steps.staging.outputs.sha }}" \
+            --raw-field environment="production" \
+            --raw-field auto_merge=false \
+            --raw-field required_contexts=[] \
+            --jq '.id')
+
+          echo "id=$DEPLOY_ID" >> "$GITHUB_OUTPUT"
+
+      - name: Set up SSH
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.deploy_known_hosts }}" > ~/.ssh/known_hosts
+          echo "${{ secrets.deploy_key }}" > ~/.ssh/id
+          chmod 600 ~/.ssh/id
+          chmod 700 ~/.ssh
+
+      - name: Trigger promote script on server
+        run: |
+          ssh -i ~/.ssh/id -p ${{ secrets.deploy_port }} ${{ secrets.deploy_user }}@${{ secrets.deploy_target }} sudo promote-staging-to-prod.sh questionablextensions
+
+      - name: Mark deployment as success
+        if: success()
+        run: |
+          gh api \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            repos/${{ github.repository }}/deployments/${{ steps.prod_deploy.outputs.id }}/statuses \
+            -f state="success"
+
+      - name: Mark deployment as failure
+        if: failure()
+        run: |
+          gh api \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            repos/${{ github.repository }}/deployments/${{ steps.prod_deploy.outputs.id }}/statuses \
+            -f state="failure"
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -41,7 +41,7 @@ jobs:
                         "description": "Deploying to staging"
                     }')
                 deployment_id=$(echo "$deployment_response" | jq -r '.id')
-                echo "deployment_id=$id" >> "$GITHUB_OUTPUT"
+                echo "deployment_id=$deployment_id" >> "$GITHUB_OUTPUT"
 
                 curl -fsS -X POST \
                     -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
@@ -71,7 +71,7 @@ jobs:
                         https://api.github.com/repos/${{ github.repository }}/deployments/${{ steps.create_deployment.outputs.deployment_id }}/statuses \
                     -d '{
                         "state": "success",
-                        "description": "Deployment succeeded",
+                        "description": "Deployment succeeded"
                     }'
               
     report-failure:
@@ -87,5 +87,5 @@ jobs:
                     https://api.github.com/repos/${{ github.repository }}/deployments/${{ needs.deploy.outputs.deployment_id }}/statuses \
                 -d '{
                     "state": "failure",
-                    "description": "Deployment failed",
+                    "description": "Deployment failed"
                 }'
