feat(ci): unified registry deploy workflow and docs deploy pipeline

rithulkamesh · rithulkamesh · commit 3e3f34d58b07 · 2026-03-14T22:00:05.000+05:30
- Replace separate registry-api.yml and registry-web.yml with unified
  registry-deploy.yml (test -&gt; build -&gt; push -&gt; deploy with OIDC + Instance Connect)
- Add docs-deploy.yml for building Docusaurus and rsyncing to EC2
- Simplify docs.yml to versioning-only (strip GH Pages deploy)
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
@@ -0,0 +1,74 @@
+# Deploy docs to EC2 (hivemind.rithul.dev)
+# Builds Docusaurus from website/, rsyncs to EC2, reloads Caddy.
+#
+# Prerequisite on EC2:
+#   sudo mkdir -p /opt/hivemind-docs && sudo chown ubuntu:ubuntu /opt/hivemind-docs
+#   Caddy must have a server block for hivemind.rithul.dev (see deploy/Caddyfile).
+
+name: Docs Deploy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "website/**"
+      - ".github/workflows/docs-deploy.yml"
+  workflow_dispatch:
+
+concurrency:
+  group: docs-deploy
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      EC2_HOST: ${{ vars.REGISTRY_EC2_HOST }}
+      EC2_INSTANCE_ID: ${{ vars.REGISTRY_EC2_INSTANCE_ID }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+
+      - name: Install and build
+        run: |
+          cd website
+          npm ci
+          npm run build
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/hivemind-registry-deploy
+          aws-region: us-east-1
+
+      - name: Deploy to EC2 via Instance Connect
+        run: |
+          # Generate ephemeral SSH key
+          ssh-keygen -t ed25519 -f /tmp/deploy_key -N "" -q
+          aws ec2-instance-connect send-ssh-public-key \
+            --instance-id "$EC2_INSTANCE_ID" \
+            --instance-os-user ubuntu \
+            --ssh-public-key file:///tmp/deploy_key.pub
+
+          # Rsync build output to EC2
+          rsync -azP --delete \
+            -e "ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no" \
+            website/build/ \
+            ubuntu@"$EC2_HOST":/opt/hivemind-docs/
+
+          rm -f /tmp/deploy_key /tmp/deploy_key.pub
+
+      - name: Verify deployment
+        run: |
+          sleep 3
+          curl -sf --retry 3 --retry-delay 5 "https://hivemind.rithul.dev/" || \
+            { echo "FAIL: docs site not responding"; exit 1; }
+          echo "Docs deployment verified"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,37 +1,26 @@
-# Deploy docs to GitHub Pages (hivemind.rithul.dev)
-# - On push to main: build Docusaurus and deploy to gh-pages
-# - On release published: open a PR with versioned docs (merge it to update main; workflow never pushes to main = no diverging branch).
+# Docs versioning: on release, create a versioned docs snapshot and open a PR.
+# Actual deployment is handled by docs-deploy.yml (pushes to EC2).
 #
-# Required: Repo Settings → Pages → Build and deployment → Source:
-#   "Deploy from a branch" → Branch: gh-pages → / (root)
+# On release published: creates versioned docs via docusaurus docs:version,
+# then opens a PR to merge the versioned snapshot into main.
 
-name: Docs
+name: Docs Version
 
 on:
-  push:
-    branches: [main]
-    paths:
-      - ".github/workflows/docs.yml"
-      - "website/**"
   release:
     types: [published]
 
 permissions:
   contents: write
-  pages: write
-  id-token: write
+  pull-requests: write
 
 concurrency:
-  group: docs
+  group: docs-version
   cancel-in-progress: false
 
 jobs:
   add-version:
-    if: github.event_name == 'release'
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
       - name: Checkout main
         uses: actions/checkout@v4
@@ -74,32 +63,3 @@ jobs:
             website/versioned_sidebars
             website/versions.json
           delete-branch: true
-
-  deploy:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-
-      - name: Install and build
-        run: |
-          cd website
-          npm ci
-          npm run build
-
-      - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v3
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: website/build
-          cname: hivemind.rithul.dev
