feat: Deploy to staging by default on merge

Erethon · Erethon · commit bd3a1e2b4425 · 2025-07-17T02:23:03.000+03:00
Deploying to production now requires a merge on the `production` branch.
diff --git a/.github/workflows/deployments.yaml b/.github/workflows/deployments.yaml
@@ -7,10 +7,19 @@ on:
     types:
       - completed
   push:
-    branches: main
+    branches: [main, production]
 jobs:
-  deploy-to-staging:
+  deploy-environment:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - environment: staging
+            host: staging-tracker.security.nixos.org
+            branch: main
+          - environment: production
+            host: tracker.security.nixos.org
+            branch: production
     steps:
       - uses: actions/checkout@v4
       - uses: cachix/install-nix-action@v29
@@ -19,4 +28,7 @@ jobs:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
       - name: Trust staging server public SSH host keys
         run: cat ./infra/host_keys >> ~/.ssh/known_hosts
-      - run: nix-shell default.nix -A ci --run deploy
+      - name: Deploy to ${{ matrix.environment }}
+        # Only deploy production when on production branch
+        if: github.ref == 'refs/heads/${{ matrix.branch }}'
+        run: nix-shell default.nix -A ci --run "deploy switch ${{ matrix.host }}"
diff --git a/infra/README.md b/infra/README.md
@@ -23,6 +23,11 @@ For more instructions on how to use OpenTofu refer to the [upstream documentatio
 Since Hetzner Cloud doesn't support NixOS out of the box, the VM was initially spawned as a Debian host and then it was converted to NixOS as per the [provisioning NixOS via SSH tutorial](https://nix.dev/tutorials/nixos/provisioning-remote-machines).
 If in the future we need to create more VMs and do it in a declarative way, we can use [nixos-anywhere](https://github.com/nix-community/nixos-anywhere).
 
+## Deploying the Security Tracker
+
+Deployments happen automatically via GitHub Actions. Whenever something is merged on a the `main` branch, a GitHub Action runs that updates the staging deployment of the tracker (staging-tracker.security.nixos.org).
+Similarly, merges on the `production` branch get automatically applied to tracker.security.nixos.org.
+
 ## Secrets
 
 Secrets are managed using [Agenix](https://github.com/ryantm/agenix).
