From 5e211e0c68e715a891e5c86fd74854f4f5cb7cf6 Mon Sep 17 00:00:00 2001
From: Aliza Held <aliza.held@strato.de>
Date: Thu, 12 Feb 2026 15:30:55 +0100
Subject: [PATCH] IONOS(ci): Add workflow to promote artifacts

upon QA-approval

Signed-off-by: Aliza Held <aliza.held@strato.de>
---
 .github/workflows/promote-artifact.yml | 89 ++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 .github/workflows/promote-artifact.yml

diff --git a/.github/workflows/promote-artifact.yml b/.github/workflows/promote-artifact.yml
new file mode 100644
index 0000000000000..9e20f5ba39075
--- /dev/null
+++ b/.github/workflows/promote-artifact.yml
@@ -0,0 +1,89 @@
+name: Promote QA-approved artifacts to stable branch
+
+# - Takes a commit SHA as input
+# - Fast-forward merges it to ionos-stable (no new commits)
+# - Promotes the exact artifact from Artifactory (no rebuild)
+
+on: 
+  workflow_dispatch: 
+
+env: 
+  REGISTRY: ghcr.io
+  SHA: ${{ github.sha }}
+  ARTIFACTORY_REPOSITORY_SNAPSHOT: ionos-productivity-ncwserver-snapshot
+  CACHE_VERSION: v1.0
+
+permissions:
+  contents: write
+
+jobs: 
+  promote-git: 
+  # Fast-forward merge SHA from ionos-dev into ionos-stable
+  # (This ensures commit-hash is identical)
+    runs-on: ubuntu-latest
+    steps: 
+      - name: Checkout server
+        id: checkout_server
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      
+      - name: Verify SHA is in ionos-dev
+        id: verify_sha
+        run: |
+          git checkout ionos-stable
+          git fetch origin ionos-stable ionos-dev
+          #verify SHA is on ionos-dev
+          if ! git merge-base --is-ancestor "$SHA" origin/ionos-dev; then
+            echo "Error: SHA does not exist on ionos-dev: $SHA"
+            exit 1
+          fi
+      
+      - name: Fast-forward merge
+        id: ff_merge
+        run: |
+          # Merge will fail if not possible
+          if ! git merge --ff-only "$SHA"; then
+            echo "Fast-forward merge not possible"
+            exit 1
+          else 
+            git push origin ionos-stable
+          fi
+
+  promote-artifact: 
+  # Copy specified artifact to the release repo -> No rebuild
+  # (ionos-productivity-ncwserver-release)
+    needs: promote-git
+    runs-on: ubuntu-latest
+    steps: 
+      - name: Setup JFrog CLI
+        id: setup_jf
+        uses: jfrog/setup-jfrog-cli@7c95feb32008765e1b4e626b078dfd897c4340ad # v4.4.1
+        env:
+          JF_URL: ${{ secrets.JF_ARTIFACTORY_URL }}
+          JF_USER: ${{ secrets.JF_ARTIFACTORY_USER }}
+          JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
+
+      - name: Ping the JF server
+        run: |
+          # Ping the server
+          jf rt ping
+
+      - name: Find artifacts matching the SHA
+        id: find_artifact
+        run: |
+          if ! jf rt search "ionos-productivity-ncwserver-snapshot/dev/*/$SHA/*.tar.gz"; then
+            echo "No artifact with SHA $SHA found."
+            exit 1
+          else
+            echo "Artifact found for SHA $SHA"
+          fi
+
+      - name: Copy artifact to target
+        id: copy_artifact
+        run: |
+          jf rt copy \
+          "ionos-productivity-ncwserver-snapshot/dev/*/$SHA/*" \
+          "ionos-productivity-ncwserver-release/$SHA/" \
+          --flat=false
+