From a4ebdd73f15d27bcfcec8aa8a8066d812022627f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 27 Jan 2026 08:22:53 +0100 Subject: [PATCH 01/15] cicd optimization --- .github/workflows/build-image.yaml | 5 - .github/workflows/commit-and-push.yaml | 0 .github/workflows/deploy-to-eks.yaml | 192 +++++++++++++++++++++++++ .github/workflows/kubernetes.yaml | 2 +- 4 files changed, 193 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/commit-and-push.yaml create mode 100644 .github/workflows/deploy-to-eks.yaml diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 2edb895..a15a166 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -17,11 +17,6 @@ on: description: If provided, sets targets for as many image builds as targets specified default: "" type: string - preScript: - required: false - description: If provided, runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). - default: "" - type: string enableContainerScan: required: false description: Apply the container scan diff --git a/.github/workflows/commit-and-push.yaml b/.github/workflows/commit-and-push.yaml new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/deploy-to-eks.yaml b/.github/workflows/deploy-to-eks.yaml new file mode 100644 index 0000000..dcf0f36 --- /dev/null +++ b/.github/workflows/deploy-to-eks.yaml @@ -0,0 +1,192 @@ +name: Kubernetes +on: + workflow_call: + inputs: + artifactName: + required: false + description: Downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. + default: "" + type: string + artifactPath: + required: false + description: Downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. + default: "" + type: string + createGitHubDeployment: + required: false + default: false + type: boolean + enableContainerScan: + required: false + default: true + type: boolean + enableSlackNotification: + required: false + default: false + type: boolean + env: + required: true + type: string + imageTargets: + required: false + description: Sets targets for as many image builds as targets specified in Containerfile + default: "" + type: string + preScript: + required: false + description: Runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). + default: "" + type: string + ref: + required: true + type: string + runner: + required: false + default: ubicloud-standard-2 # TODO: or ubuntu-latest? + type: string + sentryOrg: + required: false + type: string + sentryProject: + required: false + type: string + tagPath: + required: false + type: string + secrets: + # slackBotToken: + # required: false + # description: The Slack bot token to write messages in the desired channels (required if slack channel ids are provided) + AWS_ROLE_TO_ASSUME: + required: true + description: AWS OIDC role for GitHub to assume + repoAccessToken: + required: true + description: The Github token to perform operations cross-repo (not github.token!) + +jobs: + init: + runs-on: ${{ inputs.runner }} + outputs: + version: ${{ steps.vars.outputs.version }} + steps: + - name: Load deployment variables + id: vars + run: | + REF="${{ inputs.ref }}" + SHA="${{ github.sha }}" + if [[ "${{ inputs.env }}" == 'prod' ]] + then + # shellcheck disable=SC2086 + echo "version=${REF##*/}" >> $GITHUB_OUTPUT + else + # shellcheck disable=SC2086 + echo "version=${SHA:0:7}" >> $GITHUB_OUTPUT + + build: + needs: init + runs-on: ${{ inputs.runner }} + permissions: + contents: read + id-token: write + uses: parcelLab/ci/.github/workflows/build-image.yaml@v9.0.0 + with: + artifactName: ${{ inputs.artifactName }} + artifactPath: ${{ inputs.artifactPath }} + imageTargets: ${{ inputs.imageTargets }} + enableContainerScan: ${{ inputs.enableContainerScan }} + runner: ${{ inputs.runner }} + version: ${{ needs.initialize.outputs.version }} + secrets: inherit + + commit: + needs: build + environment: ${{ github.event.deployment.payload.env }} + concurrency: commit-${{ inputs.deploymentRepoURL }}-${{ github.sha }} + runs-on: ${{ inputs.runner }} + steps: + - name: Checkout current git repository + uses: actions/checkout@v6 + - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values + uses: mikefarah/yq@v4.30.8 + with: + cmd: yq '(.${{ inputs.tagPath }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.yaml + - name: Commit and push new tag + run: | + set -euxo pipefail + git config user.email "dev.bot@parcellab.com" + git config user.name "parcellab-dev-bot" + git add .chart/${{ inputs.env }}/values.yaml + if git diff --cached --quiet; then + echo "No changes to commit" + exit 0 + fi + git commit -m "chore(deploy): set ${{ inputs.env }} image tag to ${{ needs.kubernetes.outputs.version }}" + + if [ "${{ inputs.env }}" = "staging" ]; then + echo "Commit new tag to staging" + NEW_SHA=$(git rev-parse HEAD) + git tag -fa staging -m "staging deploy ${VERSION} (${NEW_SHA}) via ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" "${NEW_SHA}" + git push origin -f refs/tags/staging + else + echo "Commit new tag to ${{ inputs.env }}" + git push origin HEAD:main + fi + + post-deploy: + needs: [commit] + runs-on: ${{ inputs.runner }} + steps: + - if: inputs.enableSlackNotification + name: Send out Slack notification + continue-on-error: true + uses: darioblanco/slack-deployment@main + env: + SLACK_BOT_TOKEN: ${{ secrets.slackBotToken }} + with: + channel_id: ${{ needs.initialize.outputs.channel-id }} + deployment_description: ${{ github.event.deployment.payload.description == null && 'No description' || github.event.deployment.payload.description }} + deployment_name: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} + environment: ${{ github.event.deployment.payload.env == null && 'unknown' || github.event.deployment.payload.env }} + owner: ${{ github.event.deployment.payload.author == null && github.actor || github.event.deployment.payload.author }} + package: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} + ref: ${{ github.event.deployment.ref == null && 'unknown' || github.event.deployment.ref }} + repo: ${{ github.repository }} + sha: ${{ github.sha }} + status_url: ${{ github.event.deployment.payload.statusUrl == null && 'https://github.com' || github.event.deployment.payload.statusUrl }} + url: ${{ github.event.deployment.payload.url == null && 'https://github.com' || github.event.deployment.payload.url }} + version: ${{ needs.initialize.outputs.version }} + - if: inputs.sentryOrg != '' && inputs.sentryProject != '' + name: Create Sentry release + uses: getsentry/action-release@v1 + env: + SENTRY_AUTH_TOKEN: ${{ secrets.sentryAuthToken }} + SENTRY_ORG: ${{ inputs.sentryOrg }} + SENTRY_PROJECT: ${{ inputs.sentryProject }} + SENTRY_URL: ${{ inputs.sentryUrl }} + with: + environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || github.event.deployment.payload.env }} + set_commits: skip + version: ${{ needs.initialize.outputs.version }} + continue-on-error: true + - if: inputs.createGitHubDeployment + name: Create GitHub Deployment + uses: chrnorm/deployment-action@v2 + with: + token: ${{ secrets.REPO_ACCESS_TOKEN }} + ref: ${{ github.event.inputs.ref }} + environment: ${{ github.event.inputs.env }} + description: ${{ github.event.inputs.description != '' && github.event.inputs.description || format('Manual deployment {0}', github.sha) }} + auto-merge: false + payload: | + {"env":${{ toJSON(github.event.inputs.env) }},"name":"product-api","author":${{ toJSON(github.event.inputs.author) }},"description":${{ toJSON(github.event.inputs.description) }},"kubernetes":{"versionKey":"monolith.image.tag"}} + - if: inputs.createGitHubDeployment + name: Set GitHub Deployment status to successfull + uses: chrnorm/deployment-status@v2 + with: + deployment-id: ${{ github.event.deployment.id }} + environment-url: ${{ github.event.deployment.payload.url }} + environment: ${{ github.event.deployment.payload.env }} + state: "success" + token: ${{ github.token }} + \ No newline at end of file diff --git a/.github/workflows/kubernetes.yaml b/.github/workflows/kubernetes.yaml index 761c0e4..c8ce5eb 100644 --- a/.github/workflows/kubernetes.yaml +++ b/.github/workflows/kubernetes.yaml @@ -204,7 +204,7 @@ jobs: repository: ${{ inputs.deploymentRepoURL }} directory: remote github_token: ${{ secrets.repoAccessToken }} - branch: main + branch: ${{ input.ref }} - if: success() name: Successful ${{ github.event.deployment.payload.name }} deployment uses: chrnorm/deployment-status@v2 From b9f99ca2559078a6199f42942f1f19b6e7f228d4 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Fri, 13 Feb 2026 09:54:25 +0100 Subject: [PATCH 02/15] save changes --- ...-eks.yaml => build-and-deploy-to-eks.yaml} | 29 +++++++------------ 1 file changed, 10 insertions(+), 19 deletions(-) rename .github/workflows/{deploy-to-eks.yaml => build-and-deploy-to-eks.yaml} (88%) diff --git a/.github/workflows/deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml similarity index 88% rename from .github/workflows/deploy-to-eks.yaml rename to .github/workflows/build-and-deploy-to-eks.yaml index dcf0f36..a0634f8 100644 --- a/.github/workflows/deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -20,10 +20,6 @@ on: required: false default: true type: boolean - enableSlackNotification: - required: false - default: false - type: boolean env: required: true type: string @@ -32,17 +28,12 @@ on: description: Sets targets for as many image builds as targets specified in Containerfile default: "" type: string - preScript: - required: false - description: Runs a script after repo checkout and before the docker image is built. Useful in case that you need to build a package outside of the docker image (and load the artifacts via copy). - default: "" - type: string ref: required: true type: string runner: required: false - default: ubicloud-standard-2 # TODO: or ubuntu-latest? + default: ubuntu-latest type: string sentryOrg: required: false @@ -50,19 +41,19 @@ on: sentryProject: required: false type: string + slackChannelId: + required: false + type: string tagPath: required: false type: string secrets: - # slackBotToken: - # required: false - # description: The Slack bot token to write messages in the desired channels (required if slack channel ids are provided) + slackBotToken: + required: false + description: The Slack bot token to write messages in the desired channels (required if slack channel ids are provided) AWS_ROLE_TO_ASSUME: required: true description: AWS OIDC role for GitHub to assume - repoAccessToken: - required: true - description: The Github token to perform operations cross-repo (not github.token!) jobs: init: @@ -137,15 +128,15 @@ jobs: needs: [commit] runs-on: ${{ inputs.runner }} steps: - - if: inputs.enableSlackNotification + - if: inputs.slackChannelId name: Send out Slack notification continue-on-error: true uses: darioblanco/slack-deployment@main env: SLACK_BOT_TOKEN: ${{ secrets.slackBotToken }} with: - channel_id: ${{ needs.initialize.outputs.channel-id }} - deployment_description: ${{ github.event.deployment.payload.description == null && 'No description' || github.event.deployment.payload.description }} + channel_id: ${{ inputs.slackChannelId }} + deployment_description: "No description" deployment_name: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} environment: ${{ github.event.deployment.payload.env == null && 'unknown' || github.event.deployment.payload.env }} owner: ${{ github.event.deployment.payload.author == null && github.actor || github.event.deployment.payload.author }} From 9db008a13c09904929e81292634af3e45070ed2f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Mon, 16 Feb 2026 12:12:53 +0100 Subject: [PATCH 03/15] fix references --- .../workflows/build-and-deploy-to-eks.yaml | 73 ++++++++++++------- 1 file changed, 48 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index a0634f8..d6761d5 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -12,6 +12,17 @@ on: description: Downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. default: "" type: string + description: + required: false + type: string + deploymentRepoPath: + required: false + description: Path to the values.yaml file in the deployment repository (e.g. .chart/staging) + type: string + deploymentRepoURL: + required: false + description: URL of the deployment repository + type: string createGitHubDeployment: required: false default: false @@ -41,6 +52,12 @@ on: sentryProject: required: false type: string + sentryEnvironment: + required: false + type: string + sentryUrl: + required: false + type: string slackChannelId: required: false type: string @@ -51,6 +68,10 @@ on: slackBotToken: required: false description: The Slack bot token to write messages in the desired channels (required if slack channel ids are provided) + sentryAuthToken: + required: false + REPO_ACCESS_TOKEN: + required: false AWS_ROLE_TO_ASSUME: required: true description: AWS OIDC role for GitHub to assume @@ -87,36 +108,37 @@ jobs: imageTargets: ${{ inputs.imageTargets }} enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} - version: ${{ needs.initialize.outputs.version }} + version: ${{ needs.init.outputs.version }} secrets: inherit commit: needs: build - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ inputs.env }} concurrency: commit-${{ inputs.deploymentRepoURL }}-${{ github.sha }} runs-on: ${{ inputs.runner }} steps: - name: Checkout current git repository uses: actions/checkout@v6 - - name: Deploy ${{ github.sha }} to ${{ github.event.deployment.environment }} values + - name: Deploy ${{ github.sha }} to ${{ inputs.env }} values uses: mikefarah/yq@v4.30.8 with: - cmd: yq '(.${{ inputs.tagPath }} = "${{ needs.initialize.outputs.version }}")' -i remote/${{ inputs.deploymentRepoPath }}/values.yaml + cmd: yq '(.${{ inputs.tagPath }} = "${{ needs.init.outputs.version }}")' -i ${{ inputs.deploymentRepoPath }}/values.yaml - name: Commit and push new tag run: | set -euxo pipefail git config user.email "dev.bot@parcellab.com" git config user.name "parcellab-dev-bot" - git add .chart/${{ inputs.env }}/values.yaml + git add ${{ inputs.deploymentRepoPath }}/values.yaml if git diff --cached --quiet; then echo "No changes to commit" exit 0 fi - git commit -m "chore(deploy): set ${{ inputs.env }} image tag to ${{ needs.kubernetes.outputs.version }}" + git commit -m "chore(deploy): set ${{ inputs.env }} image tag to ${{ needs.init.outputs.version }}" if [ "${{ inputs.env }}" = "staging" ]; then echo "Commit new tag to staging" NEW_SHA=$(git rev-parse HEAD) + VERSION="${{ needs.init.outputs.version }}" git tag -fa staging -m "staging deploy ${VERSION} (${NEW_SHA}) via ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" "${NEW_SHA}" git push origin -f refs/tags/staging else @@ -125,7 +147,7 @@ jobs: fi post-deploy: - needs: [commit] + needs: [init, commit] runs-on: ${{ inputs.runner }} steps: - if: inputs.slackChannelId @@ -137,16 +159,16 @@ jobs: with: channel_id: ${{ inputs.slackChannelId }} deployment_description: "No description" - deployment_name: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} - environment: ${{ github.event.deployment.payload.env == null && 'unknown' || github.event.deployment.payload.env }} - owner: ${{ github.event.deployment.payload.author == null && github.actor || github.event.deployment.payload.author }} - package: ${{ github.event.deployment.payload.name == null && 'unknown' || github.event.deployment.payload.name }} - ref: ${{ github.event.deployment.ref == null && 'unknown' || github.event.deployment.ref }} + deployment_name: ${{ inputs.artifactName != '' && inputs.artifactName || 'unknown' }} + environment: ${{ inputs.env }} + owner: ${{ github.actor }} + package: ${{ inputs.artifactName != '' && inputs.artifactName || 'unknown' }} + ref: ${{ inputs.ref }} repo: ${{ github.repository }} sha: ${{ github.sha }} - status_url: ${{ github.event.deployment.payload.statusUrl == null && 'https://github.com' || github.event.deployment.payload.statusUrl }} - url: ${{ github.event.deployment.payload.url == null && 'https://github.com' || github.event.deployment.payload.url }} - version: ${{ needs.initialize.outputs.version }} + status_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + version: ${{ needs.init.outputs.version }} - if: inputs.sentryOrg != '' && inputs.sentryProject != '' name: Create Sentry release uses: getsentry/action-release@v1 @@ -156,28 +178,29 @@ jobs: SENTRY_PROJECT: ${{ inputs.sentryProject }} SENTRY_URL: ${{ inputs.sentryUrl }} with: - environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || github.event.deployment.payload.env }} + environment: ${{ inputs.sentryEnvironment != '' && inputs.sentryEnvironment || inputs.env }} set_commits: skip - version: ${{ needs.initialize.outputs.version }} + version: ${{ needs.init.outputs.version }} continue-on-error: true - if: inputs.createGitHubDeployment name: Create GitHub Deployment uses: chrnorm/deployment-action@v2 + id: deployment with: token: ${{ secrets.REPO_ACCESS_TOKEN }} - ref: ${{ github.event.inputs.ref }} - environment: ${{ github.event.inputs.env }} - description: ${{ github.event.inputs.description != '' && github.event.inputs.description || format('Manual deployment {0}', github.sha) }} + ref: ${{ inputs.ref }} + environment: ${{ inputs.env }} + description: ${{ inputs.description != '' && inputs.description || format('Manual deployment {0}', github.sha) }} auto-merge: false payload: | - {"env":${{ toJSON(github.event.inputs.env) }},"name":"product-api","author":${{ toJSON(github.event.inputs.author) }},"description":${{ toJSON(github.event.inputs.description) }},"kubernetes":{"versionKey":"monolith.image.tag"}} + {"env":${{ toJSON(inputs.env) }},"name":"product-api","author":${{ toJSON(github.actor) }},"description":${{ toJSON(inputs.description) }},"kubernetes":{"versionKey":"monolith.image.tag"}} - if: inputs.createGitHubDeployment - name: Set GitHub Deployment status to successfull + name: Set GitHub Deployment status to successful uses: chrnorm/deployment-status@v2 with: - deployment-id: ${{ github.event.deployment.id }} - environment-url: ${{ github.event.deployment.payload.url }} - environment: ${{ github.event.deployment.payload.env }} + deployment-id: ${{ steps.deployment.outputs.deployment_id }} + environment-url: ${{ steps.deployment.outputs.environment_url }} + environment: ${{ inputs.env }} state: "success" token: ${{ github.token }} \ No newline at end of file From fd88e4ac2e33a6aa1496ad0b342814d955b4c7e6 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 09:50:32 +0100 Subject: [PATCH 04/15] remove uses --- .github/workflows/build-and-deploy-to-eks.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index d6761d5..0731baa 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -97,7 +97,6 @@ jobs: build: needs: init - runs-on: ${{ inputs.runner }} permissions: contents: read id-token: write From 55028f9b909a64cb55ee7c939c4d9c882279e496 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 09:53:32 +0100 Subject: [PATCH 05/15] fix build-image version --- .github/workflows/build-and-deploy-to-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index 0731baa..0f2c1c7 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -100,7 +100,7 @@ jobs: permissions: contents: read id-token: write - uses: parcelLab/ci/.github/workflows/build-image.yaml@v9.0.0 + uses: parcelLab/ci/.github/workflows/build-image.yaml@v8 with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} From c01109b1d31565b7091c270ade0e4efcd130490c Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 09:54:56 +0100 Subject: [PATCH 06/15] add fi --- .github/workflows/build-and-deploy-to-eks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index 0f2c1c7..9e26013 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -94,6 +94,7 @@ jobs: else # shellcheck disable=SC2086 echo "version=${SHA:0:7}" >> $GITHUB_OUTPUT + fi build: needs: init From 98324161f0c3fa62cf46d2fbefb762678747f394 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 10:01:26 +0100 Subject: [PATCH 07/15] adjust build-image --- .../workflows/build-and-deploy-to-eks.yaml | 2 + .github/workflows/build-image.yaml | 72 +++++++++++-------- 2 files changed, 44 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index 9e26013..22a0887 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -109,6 +109,8 @@ jobs: enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} version: ${{ needs.init.outputs.version }} + appName: ${{ inputs.artifactName }} + environment: ${{ inputs.env }} secrets: inherit commit: diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index a15a166..db8157d 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -30,6 +30,12 @@ on: version: required: true type: string + appName: + required: false + type: string + environment: + required: false + type: string env: IMAGE_SCAN_SEVERITY: LOW @@ -43,8 +49,11 @@ jobs: permissions: id-token: write contents: read - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ inputs.environment != '' && inputs.environment || github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} + env: + APP_NAME: ${{ inputs.appName != '' && inputs.appName || inputs.artifactName != '' && inputs.artifactName || github.event.deployment.payload.name }} + ENVIRONMENT: ${{ inputs.environment != '' && inputs.environment || github.event.deployment.payload.env }} steps: - name: Checkout current git repository uses: actions/checkout@v4 @@ -70,12 +79,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ECR repository if it doesn't exist run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }} + if ! aws ecr describe-repositories --repository-names ${{ env.APP_NAME }} 2>/dev/null; then + echo "Repository ${{ env.APP_NAME }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ env.APP_NAME }} echo "Setting lifecycle policy..." else - echo "Repository ${{ github.event.deployment.payload.name }} already exists, skipping creation" + echo "Repository ${{ env.APP_NAME }} already exists, skipping creation" fi echo "Applying lifecycle policies" @@ -84,7 +93,7 @@ jobs: {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ env.APP_NAME }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 @@ -94,24 +103,24 @@ jobs: build-args: | GITHUB_SHA=${{ github.sha }} VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} + APP_NAME=${{ env.APP_NAME }} + ENVIRONMENT=${{ env.ENVIRONMENT }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache context: ${{ github.event.deployment.payload.container.context }} load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ inputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:${{ github.sha }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v3 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:latest dockerfile: Containerfile severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} @@ -120,18 +129,21 @@ jobs: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push image to ECR run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }} + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }} build-ecr-matrix: if: inputs.imageTargets != '' permissions: id-token: write contents: read - environment: ${{ github.event.deployment.payload.env }} + environment: ${{ inputs.environment != '' && inputs.environment || github.event.deployment.payload.env }} runs-on: ${{ inputs.runner }} strategy: matrix: containerfile_targets: ${{ fromJson(inputs.imageTargets) }} + env: + APP_NAME: ${{ inputs.appName != '' && inputs.appName || inputs.artifactName != '' && inputs.artifactName || github.event.deployment.payload.name }} + ENVIRONMENT: ${{ inputs.environment != '' && inputs.environment || github.event.deployment.payload.env }} steps: - name: Checkout current git repository uses: actions/checkout@v4 @@ -157,12 +169,12 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Create ${{ matrix.containerfile_targets }} ECR repository if it doesn't exist run: | - if ! aws ecr describe-repositories --repository-names ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} 2>/dev/null; then - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} does not exist, creating it..." - aws ecr create-repository --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + if ! aws ecr describe-repositories --repository-names ${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} 2>/dev/null; then + echo "Repository ${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} does not exist, creating it..." + aws ecr create-repository --repository-name ${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} echo "Setting lifecycle policy..." else - echo "Repository ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} already exists, skipping creation" + echo "Repository ${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} already exists, skipping creation" fi echo "Applying lifecycle policies" @@ -171,7 +183,7 @@ jobs: {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}, {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countUnit":"days","countNumber":7},"action":{"type":"expire"}} ]}' - aws ecr put-lifecycle-policy --repository-name ${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" + aws ecr put-lifecycle-policy --repository-name ${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} --lifecycle-policy-text "$LIFECYCLE_POLICY" - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 @@ -181,25 +193,25 @@ jobs: build-args: | GITHUB_SHA=${{ github.sha }} VERSION=${{ inputs.version }} - APP_NAME=${{ github.event.deployment.payload.name }} - ENVIRONMENT=${{ github.event.deployment.payload.env }} + APP_NAME=${{ env.APP_NAME }} + ENVIRONMENT=${{ env.ENVIRONMENT }} NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} - cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache - cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}:cache + cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache + cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache context: ${{ github.event.deployment.payload.container.context }} load: true file: ${{ github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} - ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:latest + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:${{ inputs.version }} + ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:${{ github.sha }} target: ${{ matrix.containerfile_targets }} - name: Scan for vulnerabilities if: inputs.enableContainerScan uses: crazy-max/ghaction-container-scan@v3 with: - image: ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }}:latest + image: ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:latest dockerfile: Containerfile severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} @@ -208,4 +220,4 @@ jobs: TRIVY_TIMEOUT: ${{ env.IMAGE_SCAN_TRIVY_TIMEOUT }} - name: Push ${{ matrix.containerfile_targets }} image to ECR run: | - docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ github.event.deployment.payload.name }}-${{ matrix.containerfile_targets }} + docker push -a ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }} From bd49fb5ee036d9a5a121ef27a68a9d57a24c5b2b Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 10:26:37 +0100 Subject: [PATCH 08/15] adjust --- .github/workflows/build-and-deploy-to-eks.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index 22a0887..c8e1a99 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -12,6 +12,14 @@ on: description: Downloads a previously uploaded artifact (has to be in the same workflow). Both artifactPath and artifactName have to be passed. default: "" type: string + appName: + required: false + type: string + default: "" + environment: + required: false + type: string + default: "" description: required: false type: string @@ -101,7 +109,7 @@ jobs: permissions: contents: read id-token: write - uses: parcelLab/ci/.github/workflows/build-image.yaml@v8 + uses: ./.github/workflows/build-image.yaml with: artifactName: ${{ inputs.artifactName }} artifactPath: ${{ inputs.artifactPath }} @@ -109,8 +117,8 @@ jobs: enableContainerScan: ${{ inputs.enableContainerScan }} runner: ${{ inputs.runner }} version: ${{ needs.init.outputs.version }} - appName: ${{ inputs.artifactName }} - environment: ${{ inputs.env }} + appName: ${{ inputs.appName }} + environment: ${{ inputs.environment }} secrets: inherit commit: From 2548a5525daa00cb1c255969232bd9c8ea9ca1e8 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 10:46:59 +0100 Subject: [PATCH 09/15] specify dockerfile --- .../workflows/build-and-deploy-to-eks.yaml | 10 ++++++++++ .github/workflows/build-image.yaml | 20 +++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index c8e1a99..e03f3fe 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -72,6 +72,14 @@ on: tagPath: required: false type: string + context: + required: false + type: string + default: "." + dockerfile: + required: false + type: string + default: "Containerfile" secrets: slackBotToken: required: false @@ -119,6 +127,8 @@ jobs: version: ${{ needs.init.outputs.version }} appName: ${{ inputs.appName }} environment: ${{ inputs.environment }} + context: ${{ inputs.context }} + dockerfile: ${{ inputs.dockerfile }} secrets: inherit commit: diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index db8157d..13821b4 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -36,6 +36,14 @@ on: environment: required: false type: string + context: + required: false + type: string + default: "." + dockerfile: + required: false + type: string + default: "Containerfile" env: IMAGE_SCAN_SEVERITY: LOW @@ -108,9 +116,9 @@ jobs: NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache - context: ${{ github.event.deployment.payload.container.context }} + context: ${{ inputs.context != '' && inputs.context || github.event.deployment.payload.container.context }} load: true - file: ${{ github.event.deployment.payload.container.file }} + file: ${{ inputs.dockerfile != '' && inputs.dockerfile || github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:latest @@ -121,7 +129,7 @@ jobs: uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:latest - dockerfile: Containerfile + dockerfile: ${{ inputs.dockerfile }} severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} @@ -198,9 +206,9 @@ jobs: NPM_GITHUB_TOKEN=${{ secrets.npmGithubReadToken }} cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache cache-to: mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:cache - context: ${{ github.event.deployment.payload.container.context }} + context: ${{ inputs.context != '' && inputs.context || github.event.deployment.payload.container.context }} load: true - file: ${{ github.event.deployment.payload.container.file }} + file: ${{ inputs.dockerfile != '' && inputs.dockerfile || github.event.deployment.payload.container.file }} platforms: linux/amd64 tags: | ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:latest @@ -212,7 +220,7 @@ jobs: uses: crazy-max/ghaction-container-scan@v3 with: image: ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}-${{ matrix.containerfile_targets }}:latest - dockerfile: Containerfile + dockerfile: ${{ inputs.dockerfile }} severity: ${{ env.IMAGE_SCAN_SEVERITY }} severity_threshold: ${{ env.IMAGE_SCAN_SEVERITY_THRESHOLD }} annotations: ${{ env.IMAGE_SCAN_ANNOTATIONS }} From c7b55797067496c75358eb903cde409519e9125d Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 12:18:35 +0100 Subject: [PATCH 10/15] fix the commit and push tag --- .github/workflows/build-and-deploy-to-eks.yaml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index e03f3fe..f9ab0d6 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -148,22 +148,19 @@ jobs: set -euxo pipefail git config user.email "dev.bot@parcellab.com" git config user.name "parcellab-dev-bot" - git add ${{ inputs.deploymentRepoPath }}/values.yaml + git add . if git diff --cached --quiet; then echo "No changes to commit" exit 0 fi - git commit -m "chore(deploy): set ${{ inputs.env }} image tag to ${{ needs.init.outputs.version }}" - - if [ "${{ inputs.env }}" = "staging" ]; then - echo "Commit new tag to staging" + git commit -m "chore(deploy): set $ENV image tag to $VERSION" + if [ "$PUSH_TO_ENV_TAG" = "true" ]; then + echo "Set new image tag to $ENV" NEW_SHA=$(git rev-parse HEAD) - VERSION="${{ needs.init.outputs.version }}" - git tag -fa staging -m "staging deploy ${VERSION} (${NEW_SHA}) via ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" "${NEW_SHA}" - git push origin -f refs/tags/staging + git tag -fa "$ENV" -m "$ENV deploy $VERSION ($NEW_SHA)" "$NEW_SHA" + git push origin -f "refs/tags/$ENV" else - echo "Commit new tag to ${{ inputs.env }}" - git push origin HEAD:main + git push origin main fi post-deploy: From 9424fa01a503bdeb4523aa4290dba3b392b0935f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 12:48:34 +0100 Subject: [PATCH 11/15] fix env --- .github/workflows/build-and-deploy-to-eks.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index f9ab0d6..ccb3c3f 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -133,7 +133,6 @@ jobs: commit: needs: build - environment: ${{ inputs.env }} concurrency: commit-${{ inputs.deploymentRepoURL }}-${{ github.sha }} runs-on: ${{ inputs.runner }} steps: @@ -153,12 +152,12 @@ jobs: echo "No changes to commit" exit 0 fi - git commit -m "chore(deploy): set $ENV image tag to $VERSION" - if [ "$PUSH_TO_ENV_TAG" = "true" ]; then - echo "Set new image tag to $ENV" + git commit -m "chore(deploy): set $env image tag to $version" + if [ "${{ inputs.pushToEnvTag }}" = "true" ]; then + echo "Set new image tag to $env" NEW_SHA=$(git rev-parse HEAD) - git tag -fa "$ENV" -m "$ENV deploy $VERSION ($NEW_SHA)" "$NEW_SHA" - git push origin -f "refs/tags/$ENV" + git tag -fa "$env" -m "$env deploy $version ($NEW_SHA)" "$NEW_SHA" + git push origin -f "refs/tags/$env" else git push origin main fi From bcaadf82d5c13b1728e54e73a08dc86de6ae483f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 13:06:22 +0100 Subject: [PATCH 12/15] add pushToEnvTag to inputs --- .github/workflows/build-and-deploy-to-eks.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index ccb3c3f..dc07485 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -80,6 +80,10 @@ on: required: false type: string default: "Containerfile" + pushToEnvTag: + required: false + type: boolean + default: false secrets: slackBotToken: required: false From 30f69fc262aab8f00c7ad297dbf7d8dfa3a57113 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 14:09:13 +0100 Subject: [PATCH 13/15] set vars --- .github/workflows/build-and-deploy-to-eks.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index dc07485..e5a9ec2 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -147,6 +147,9 @@ jobs: with: cmd: yq '(.${{ inputs.tagPath }} = "${{ needs.init.outputs.version }}")' -i ${{ inputs.deploymentRepoPath }}/values.yaml - name: Commit and push new tag + env: + env: ${{ inputs.env }} + version: ${{ needs.init.outputs.version }} run: | set -euxo pipefail git config user.email "dev.bot@parcellab.com" From 52258933e2091e05bd0814ace8388b60c72d1e1f Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Tue, 17 Feb 2026 16:15:57 +0100 Subject: [PATCH 14/15] try another fix --- .github/workflows/build-and-deploy-to-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index e5a9ec2..37814a9 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -166,7 +166,7 @@ jobs: git tag -fa "$env" -m "$env deploy $version ($NEW_SHA)" "$NEW_SHA" git push origin -f "refs/tags/$env" else - git push origin main + git push origin HEAD:main fi post-deploy: From 47528c769c9373e4c10f08265050339f6c516c56 Mon Sep 17 00:00:00 2001 From: Kirill Plis Date: Wed, 18 Feb 2026 07:57:40 +0100 Subject: [PATCH 15/15] add init to need --- .github/workflows/build-and-deploy-to-eks.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy-to-eks.yaml b/.github/workflows/build-and-deploy-to-eks.yaml index 37814a9..c20be26 100644 --- a/.github/workflows/build-and-deploy-to-eks.yaml +++ b/.github/workflows/build-and-deploy-to-eks.yaml @@ -136,7 +136,7 @@ jobs: secrets: inherit commit: - needs: build + needs: [init, build] concurrency: commit-${{ inputs.deploymentRepoURL }}-${{ github.sha }} runs-on: ${{ inputs.runner }} steps: @@ -166,6 +166,7 @@ jobs: git tag -fa "$env" -m "$env deploy $version ($NEW_SHA)" "$NEW_SHA" git push origin -f "refs/tags/$env" else + git pull origin main --rebase git push origin HEAD:main fi