From e34d510a4d91c47789a718759a61037747f6dedc Mon Sep 17 00:00:00 2001 From: jeffcumpsty-tpx Date: Fri, 27 Feb 2026 16:34:13 +0000 Subject: [PATCH 1/3] Remove workflow_run triggers and simplify deployment conditions in CI/CD pipeline --- .github/workflows/ci.yml | 2 -- .github/workflows/deploy.yml | 23 +++++------------------ 2 files changed, 5 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fcc1384..cf771f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,8 +3,6 @@ name: CI/CD Pipeline on: pull_request: branches: [staging, main] - push: - branches: [staging, main] concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 260eb0e..507bcdd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,10 +1,7 @@ name: Deploy to Heroku on: - workflow_run: - workflows: ["CI/CD Pipeline"] - types: - - completed + push: branches: [staging, main] concurrency: @@ -19,11 +16,6 @@ jobs: deploy-staging: name: Deploy to Staging runs-on: ubuntu-latest - if: > - github.event.workflow_run.conclusion == 'success' && - github.event.workflow_run.event == 'push' && - github.event.workflow_run.actor.login != 'dependabot[bot]' && - github.event.workflow_run.head_branch == 'staging' steps: - name: Checkout code @@ -55,7 +47,7 @@ jobs: HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} IMAGE_NAME: ghcr.io/${{ steps.lowercase.outputs.repo_owner }}/${{ steps.lowercase.outputs.repo_name }} run: | - SHORT_SHA=$(echo ${{ github.event.workflow_run.head_sha }} | cut -c1-7) + SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) echo "Deploying tested image: ${IMAGE_NAME}:sha-${SHORT_SHA} → ${{ vars.HEROKU_STAGING_APP }}" # Login to GHCR @@ -79,11 +71,6 @@ jobs: deploy-production: name: Deploy to Production runs-on: ubuntu-latest - if: > - github.event.workflow_run.conclusion == 'success' && - github.event.workflow_run.event == 'push' && - github.event.workflow_run.actor.login != 'dependabot[bot]' && - github.event.workflow_run.head_branch == 'main' steps: - name: Checkout code @@ -115,7 +102,7 @@ jobs: HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} IMAGE_NAME: ghcr.io/${{ steps.lowercase.outputs.repo_owner }}/${{ steps.lowercase.outputs.repo_name }} run: | - SHORT_SHA=$(echo ${{ github.event.workflow_run.head_sha }} | cut -c1-7) + SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) echo "Deploying tested image: ${IMAGE_NAME}:sha-${SHORT_SHA} → ${{ vars.HEROKU_PROD_APP }}" # Login to GHCR @@ -138,8 +125,8 @@ jobs: - name: Create GitHub Release uses: softprops/action-gh-release@v2.5.0 with: - tag_name: v${{ github.event.workflow_run.run_number }} - name: Release v${{ github.event.workflow_run.run_number }} + tag_name: v${{ github.run_number }} + name: Release v${{ github.run_number }} draft: false prerelease: false token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From a48fefefc89ac0577a4cc69dfaf6a647caf7b28f Mon Sep 17 00:00:00 2001 From: jeffcumpsty-tpx Date: Fri, 27 Feb 2026 16:40:27 +0000 Subject: [PATCH 2/3] Refactor CI/CD workflows: remove Heroku deployment from deploy.yml and create separate deploy-to-production.yml and deploy-to-staging.yml --- .../{deploy.yml => deploy-to-production.yml} | 60 +--------------- .github/workflows/deploy-to-staging.yml | 69 +++++++++++++++++++ 2 files changed, 72 insertions(+), 57 deletions(-) rename .github/workflows/{deploy.yml => deploy-to-production.yml} (54%) create mode 100644 .github/workflows/deploy-to-staging.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy-to-production.yml similarity index 54% rename from .github/workflows/deploy.yml rename to .github/workflows/deploy-to-production.yml index 507bcdd..da11f6e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy-to-production.yml @@ -1,8 +1,8 @@ -name: Deploy to Heroku +name: Deploy to Heroku (production) on: push: - branches: [staging, main] + branches: [main] concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -13,61 +13,7 @@ permissions: contents: write # To create GitHub releases jobs: - deploy-staging: - name: Deploy to Staging - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v6.0.2 - - - name: Install Heroku CLI - run: curl https://cli-assets.heroku.com/install.sh | sh - - - name: Login to Heroku Container Registry - env: - HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} - run: heroku container:login - - - name: Ensure container stack (staging) - env: - HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} - run: heroku stack:set container --app ${{ vars.HEROKU_STAGING_APP }} - - - name: Prepare lowercase image name - id: lowercase - run: | - repo_owner="${{ github.repository_owner }}" - repo_name="${{ github.event.repository.name }}" - echo "repo_owner=$(echo "$repo_owner" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - echo "repo_name=$(echo "$repo_name" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" - - - name: Pull tested image from GHCR & deploy to Heroku Staging - env: - HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} - IMAGE_NAME: ghcr.io/${{ steps.lowercase.outputs.repo_owner }}/${{ steps.lowercase.outputs.repo_name }} - run: | - SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) - echo "Deploying tested image: ${IMAGE_NAME}:sha-${SHORT_SHA} → ${{ vars.HEROKU_STAGING_APP }}" - - # Login to GHCR - echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin - - docker pull ${IMAGE_NAME}:sha-${SHORT_SHA} - - # Tag the image for Heroku - docker tag ${IMAGE_NAME}:sha-${SHORT_SHA} registry.heroku.com/${{ vars.HEROKU_STAGING_APP }}/web:latest - - echo "Pushing to Heroku..." - heroku container:push web --app ${{ vars.HEROKU_STAGING_APP }} - - echo "Releasing..." - heroku container:release web --app ${{ vars.HEROKU_STAGING_APP }} - - echo "Health check..." - sleep 12 - curl --fail "${{ vars.STAGING_HEALTH_ENDPOINT }}" || echo "⚠️ Health check failed – check Heroku logs" - + deploy-production: name: Deploy to Production runs-on: ubuntu-latest diff --git a/.github/workflows/deploy-to-staging.yml b/.github/workflows/deploy-to-staging.yml new file mode 100644 index 0000000..8489924 --- /dev/null +++ b/.github/workflows/deploy-to-staging.yml @@ -0,0 +1,69 @@ +name: Deploy to Heroku (staging) + +on: + push: + branches: [staging] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + packages: read # To pull from GHCR + contents: write # To create GitHub releases + +jobs: + deploy-staging: + name: Deploy to Staging + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v6.0.2 + + - name: Install Heroku CLI + run: curl https://cli-assets.heroku.com/install.sh | sh + + - name: Login to Heroku Container Registry + env: + HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} + run: heroku container:login + + - name: Ensure container stack (staging) + env: + HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} + run: heroku stack:set container --app ${{ vars.HEROKU_STAGING_APP }} + + - name: Prepare lowercase image name + id: lowercase + run: | + repo_owner="${{ github.repository_owner }}" + repo_name="${{ github.event.repository.name }}" + echo "repo_owner=$(echo "$repo_owner" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" + echo "repo_name=$(echo "$repo_name" | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT" + + - name: Pull tested image from GHCR & deploy to Heroku Staging + env: + HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} + IMAGE_NAME: ghcr.io/${{ steps.lowercase.outputs.repo_owner }}/${{ steps.lowercase.outputs.repo_name }} + run: | + SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7) + echo "Deploying tested image: ${IMAGE_NAME}:sha-${SHORT_SHA} → ${{ vars.HEROKU_STAGING_APP }}" + + # Login to GHCR + echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin + + docker pull ${IMAGE_NAME}:sha-${SHORT_SHA} + + # Tag the image for Heroku + docker tag ${IMAGE_NAME}:sha-${SHORT_SHA} registry.heroku.com/${{ vars.HEROKU_STAGING_APP }}/web:latest + + echo "Pushing to Heroku..." + heroku container:push web --app ${{ vars.HEROKU_STAGING_APP }} + + echo "Releasing..." + heroku container:release web --app ${{ vars.HEROKU_STAGING_APP }} + + echo "Health check..." + sleep 12 + curl --fail "${{ vars.STAGING_HEALTH_ENDPOINT }}" || echo "⚠️ Health check failed – check Heroku logs" \ No newline at end of file From a2e7bc3540ab239cfbec441c12601ae24143e9cd Mon Sep 17 00:00:00 2001 From: jeffcumpsty-tpx Date: Fri, 27 Feb 2026 16:58:42 +0000 Subject: [PATCH 3/3] Remove conditional checks for push and pull_request events in CI jobs --- .github/workflows/ci.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf771f3..301a695 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -129,7 +129,6 @@ jobs: name: Build & Push Docker Image to GHCR runs-on: ubuntu-latest needs: [build-and-test, codeql-analysis, security-scan-fs] - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'main') outputs: image_ref: ${{ steps.image_ref.outputs.image_ref }} @@ -194,8 +193,7 @@ jobs: name: Trivy Image Vulnerability Scan runs-on: ubuntu-latest needs: docker-build - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'main') - + steps: - name: Login to GitHub Container Registry uses: docker/login-action@v3.7.0 @@ -260,9 +258,8 @@ jobs: zap-scan: name: OWASP ZAP Baseline Scan runs-on: ubuntu-latest - needs: [docker-build, security-scan-image] - if: github.event_name == 'pull_request' && github.base_ref == 'main' - + needs: [docker-build] + steps: - name: Checkout code uses: actions/checkout@v6.0.2