ci(kiloclaw): push prod image to dev registry on every deploy (#2197)

kilo-code-bot[bot] · web-flow · commit a589a209fbb2 · 2026-04-08T12:21:00.000-05:00
* ci(kiloclaw): push prod image to dev registry on every deploy

After building (or reusing) the prod Docker image, re-tag and push
it to the dev Fly registry (kiloclaw-registry-dev) with a dev-&lt;unix-timestamp&gt;
tag. This keeps the dev environment in sync with production images
without needing a separate manual workflow run.

Also writes a GitHub Step Summary with .dev.vars entries so
developers can copy the values for local wrangler dev usage.

* fix(ci): isolate dev image push from prod deploy

Move the dev registry push into a separate job to fix two issues:

1. Registry credential conflict: the dev login overwrote prod credentials
   at registry.fly.io before the prod image could be pulled. The new job
   logs in with prod creds first to pull, then switches to dev creds to push.

2. Dev push blocking prod deploys: the dev push steps were inline in the
   deploy job, so a failure would block the worker deploy and Slack
   notification. The new push-dev-image job runs after deploy completes
   with continue-on-error: true, so failures are non-blocking.

* ci(kiloclaw): also tag and push dev image as latest

---------

Co-authored-by: kiloconnect[bot] &lt;240665456+kiloconnect[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/deploy-kiloclaw.yml b/.github/workflows/deploy-kiloclaw.yml
@@ -12,6 +12,11 @@ jobs:
     runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }}
     timeout-minutes: 30
     name: Deploy KiloClaw
+    outputs:
+      image-tag: ${{ steps.image-hash.outputs.tag }}
+      image-hash: ${{ steps.image-hash.outputs.hash }}
+      image-digest: ${{ steps.image-digest.outputs.digest }}
+      openclaw-version: ${{ steps.openclaw-version.outputs.version }}
 
     steps:
       - name: Checkout code
@@ -226,3 +231,92 @@ jobs:
                 }
               ]
             }
+
+  # ── Push prod image to dev registry ───────────────────────────
+  # Runs after the production deploy completes. Copies the prod image
+  # to the dev Fly registry so dev stays in sync automatically.
+  # continue-on-error ensures a dev push failure never blocks prod.
+  push-dev-image:
+    needs: [deploy]
+    runs-on: ${{ vars.RUNNER_DEFAULT_LABEL || 'ubuntu-latest' }}
+    timeout-minutes: 10
+    name: Push Dev Image
+    continue-on-error: true
+
+    steps:
+      - name: Setup Docker Buildx
+        uses: useblacksmith/setup-docker-builder@5241b2e9423e8b1fa37ed6050ecb62d0fb9a4e38 # v1.6.0
+
+      # Login with prod credentials FIRST to pull the prod image
+      - name: Login to prod Fly Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: registry.fly.io
+          username: x
+          password: ${{ secrets.FLY_API_TOKEN }}
+
+      - name: Pull prod image
+        run: |
+          PROD_IMAGE="registry.fly.io/kiloclaw-machines:${{ needs.deploy.outputs.image-tag }}"
+          echo "Pulling prod image: ${PROD_IMAGE}"
+          docker pull "${PROD_IMAGE}"
+
+      # Now switch to dev credentials for pushing
+      - name: Login to dev Fly Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: registry.fly.io
+          username: x
+          password: ${{ secrets.FLY_DEV_API_TOKEN }}
+
+      - name: Generate dev image tag
+        id: dev-tag
+        run: |
+          TIMESTAMP=$(date +%s)
+          echo "tag=dev-${TIMESTAMP}" >> "$GITHUB_OUTPUT"
+          echo "Dev tag: dev-${TIMESTAMP}"
+
+      - name: Tag and push to dev registry
+        run: |
+          PROD_IMAGE="registry.fly.io/kiloclaw-machines:${{ needs.deploy.outputs.image-tag }}"
+          DEV_IMAGE="registry.fly.io/kiloclaw-registry-dev:${{ steps.dev-tag.outputs.tag }}"
+          DEV_LATEST="registry.fly.io/kiloclaw-registry-dev:latest"
+
+          echo "Tagging as: ${DEV_IMAGE}"
+          docker tag "${PROD_IMAGE}" "${DEV_IMAGE}"
+
+          echo "Tagging as: ${DEV_LATEST}"
+          docker tag "${PROD_IMAGE}" "${DEV_LATEST}"
+
+          echo "Pushing to dev registry..."
+          docker push "${DEV_IMAGE}"
+          docker push "${DEV_LATEST}"
+
+          echo "✅ Pushed dev image: ${DEV_IMAGE}"
+          echo "✅ Pushed dev latest: ${DEV_LATEST}"
+
+      - name: Write dev .dev.vars summary
+        run: |
+          TAG="${{ steps.dev-tag.outputs.tag }}"
+          DIGEST="${{ needs.deploy.outputs.image-digest }}"
+          OPENCLAW="${{ needs.deploy.outputs.openclaw-version }}"
+          CONTENT="${{ needs.deploy.outputs.image-hash }}"
+
+          {
+            echo ""
+            echo "## .dev.vars entries for KiloClaw worker"
+            echo ""
+            echo "Add or update these in \`services/kiloclaw/.dev.vars\`, then restart wrangler dev:"
+            echo ""
+            echo '```'
+            echo "FLY_IMAGE_TAG=${TAG}"
+            if [ -n "$DIGEST" ]; then
+              echo "FLY_IMAGE_DIGEST=${DIGEST}"
+            fi
+            echo "OPENCLAW_VERSION=${OPENCLAW}"
+            echo "FLY_IMAGE_CONTENT_HASH=${CONTENT}"
+            echo '```'
+            echo ""
+            echo "**Image pushed to:** \`registry.fly.io/kiloclaw-registry-dev:${TAG}\`"
+            echo ""
+          } >> "$GITHUB_STEP_SUMMARY"
