infra/ci: Add GitHub Actions workflow for staging and production deployment (#256)

## Motivation and Context

- Enable all contributors to manage the infrastructure
- Enable deployments without error-prone manual intervention

## How Has This Been Tested?

Tested by deploying from this test branch, getting CI green and seeing
changes were applied

## Breaking Changes
<!-- Will users need to update their code or configurations? -->

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Documentation update

## Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->
- [x] I have read the [MCP
Documentation](https://modelcontextprotocol.io)
- [x] My code follows the repository's style guidelines
- [x] New and existing tests pass locally
- [x] I have added appropriate error handling
- [ ] I have added or updated documentation as needed

Author: domdomegg

.github/workflows/deploy.yml

@@ -0,0 +1,82 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  PULUMI_VERSION: "3.188.0"
+  GO_VERSION: "1.24.6"
+
+jobs:
+  deploy-staging:
+    name: Deploy to Staging
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Setup Pulumi
+        uses: pulumi/actions@v6
+        with:
+          pulumi-version: ${{ env.PULUMI_VERSION }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_STAGING_SERVICE_ACCOUNT_KEY }}
+
+      - name: Setup Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          project_id: mcp-registry-staging
+          install_components: gke-gcloud-auth-plugin
+
+      - name: Deploy to Staging
+        working-directory: ./deploy
+        run: |
+          echo "${{ secrets.PULUMI_STAGING_PASSPHRASE }}" > passphrase.staging.txt
+          make staging-up
+
+  deploy-production:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+    environment: production
+    needs: deploy-staging
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Setup Pulumi
+        uses: pulumi/actions@v6
+        with:
+          pulumi-version: ${{ env.PULUMI_VERSION }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_PROD_SERVICE_ACCOUNT_KEY }}
+
+      - name: Setup Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          project_id: mcp-registry-prod
+          install_components: gke-gcloud-auth-plugin
+
+      - name: Deploy to Production
+        working-directory: ./deploy
+        run: |
+          echo "${{ secrets.PULUMI_PROD_PASSPHRASE }}" > passphrase.prod.txt
+          make prod-up

deploy/Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build local-preview local-up staging-preview staging-up prod-preview prod-up
+.PHONY: help build local-login local-preview local-up staging-login staging-preview staging-up prod-login prod-preview prod-up
 
 # Default target
 help: ## Show this help message
@@ -10,22 +10,31 @@ build: ## Build the Pulumi Go program
 	go build
 
 # Local stack commands
-local-preview: build ## Preview local infrastructure changes
+local-login: ## Login to local Pulumi backend
+	pulumi login --local
+
+local-preview: build local-login ## Preview local infrastructure changes
 	PULUMI_CONFIG_PASSPHRASE="" pulumi preview --stack local
 
-local-up: build ## Deploy local infrastructure
+local-up: build local-login ## Deploy local infrastructure
 	PULUMI_CONFIG_PASSPHRASE="" pulumi up --yes --stack local
 
 # Staging stack commands
-staging-preview: build ## Preview staging infrastructure changes
+staging-login: ## Login to staging Pulumi backend
+	pulumi login gs://mcp-registry-staging-pulumi-state
+
+staging-preview: build staging-login ## Preview staging infrastructure changes
 	PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.staging.txt pulumi preview --stack gcpStaging
 
-staging-up: build ## Deploy staging infrastructure
+staging-up: build staging-login ## Deploy staging infrastructure
 	PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.staging.txt pulumi up --yes --stack gcpStaging
 
 # Production stack commands
-prod-preview: build ## Preview production infrastructure changes
+prod-login: ## Login to production Pulumi backend
+	pulumi login gs://mcp-registry-prod-pulumi-state
+
+prod-preview: build prod-login ## Preview production infrastructure changes
 	PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt pulumi preview --stack gcpProd
 
-prod-up: build ## Deploy production infrastructure
+prod-up: build prod-login ## Deploy production infrastructure
 	PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt pulumi up --yes --stack gcpProd

deploy/README.md

@@ -29,7 +29,7 @@ Pre-requisites:
 
 ### Production Deployment (GCP)
 
-**Note:** This is how the production deployment will be set up once. But then the plan will be future updates are effectively a login + `pulumi up` from GitHub Actions.
+**Note:** The production deployment is automatically handled by GitHub Actions. All merges to the `main` branch trigger an automatic deployment to GCP via [the configured GitHub Actions workflow](../.github/workflows/deploy.yml). The steps below are preserved as a log of what we did, or if a manual override is needed.
 
 Pre-requisites:
 - [Pulumi CLI installed](https://www.pulumi.com/docs/iac/download-install/)
@@ -51,8 +51,7 @@ Pre-requisites:
    ```
 5. Create a GCS bucket for Pulumi state: `gsutil mb gs://mcp-registry-prod-pulumi-state`
 6. Set Pulumi's backend to GCS: `pulumi login gs://mcp-registry-prod-pulumi-state`
-7. Get the passphrase file `passphrase.prod.txt` from @domdomegg
-   - TODO: avoid dependence on one person! Probably will shift all of this into CI.
+7. Get the passphrase file `passphrase.prod.txt` from the registry maintainers
 8. Init the GCP stack: `PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt pulumi stack init gcpProd`
 9. Set the GCP credentials in Pulumi config:
     ```bash