CD Deploy Production #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Production Pulumi deploy (layer_1 → layer_2 → platform prod stacks). | |
| # Refactored: reusable stack-map driven deploy (#682). | |
| # | |
| # GitHub Environment `production` must hold **prod-only** credentials. Do not reuse | |
| # repository or pre-prod environment secret *names* for prod paths (avoids foot-guns | |
| # when copying workflow YAML). Configure these as **Environment secrets** on | |
| # Settings → Environments → production: | |
| # | |
| # PROD_MANAGER_HOST — SSH/Tailscale host for the production Docker manager | |
| # PROD_SSH_USER — SSH user for that host | |
| # PROD_SSH_KEY — Private key for PROD_SSH_USER (prod droplet only) | |
| # PROD_TAILSCALE_AUTHKEY — Optional; Tailscale auth key that reaches prod only | |
| # PROD_PULUMI_ACCESS_TOKEN - Needed for login to Pulumi state provider (default pulumi cloud) | |
| # | |
| # Enable **required reviewers** on the `production` environment so `pulumi up` cannot | |
| # run until approved. Note: GitHub waits for that approval before the job starts, so | |
| # `pulumi preview` in this job also runs only after approval; the log order is still | |
| # preview for all prod stacks, then `pulumi up` in dependency order (#667 / infra README). | |
| # | |
| # Rollback / break-glass: see issue #680. | |
| # | |
| # Related: #678 | |
| name: CD Deploy Production | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| git_sha: | |
| description: 'Full commit SHA to deploy (exact ref; not floating main)' | |
| required: true | |
| type: string | |
| confirm: | |
| description: 'Typo guard: set to the repo full name (org/repo) or DEPLOY_PROD (optional if left empty)' | |
| required: false | |
| type: string | |
| default: '' | |
| concurrency: | |
| group: prod-deploy | |
| cancel-in-progress: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| pulumi-prod: | |
| uses: ./.github/workflows/_reusable-pulumi-deploy.yml | |
| with: | |
| lane: main | |
| target: prod | |
| git_sha: ${{ github.event.inputs.git_sha }} | |
| deploy_profile: prod_cd | |
| prod_confirm: ${{ github.event.inputs.confirm }} | |
| secrets: inherit |