Skip to content

Commit 00a086a

Browse files
fropafropa
authored
Update prod-stg-deploy.yml
1 parent 9436017 commit 00a086a

File tree

1 file changed

+45
-13
lines changed

1 file changed

+45
-13
lines changed

.github/workflows/prod-stg-deploy.yml

Lines changed: 45 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
push:
55
branches:
66
- containerapp_deploy
7+
8+
schedule:
9+
- cron: "0 1 * * *"
10+
711
workflow_dispatch:
812
inputs:
913
target_env:
@@ -29,10 +33,11 @@ env:
2933
STAGING_RESOURCE_GROUP: core-frontend-stage
3034
STAGING_APP_NAME: core-frontend-stage-about
3135

32-
GA_CODE: ${{ secrets.GA_CODE }}
3336
NODE_ENV: production
3437
PORT: 8080
3538

39+
ALLOWED_PROD_BRANCH: containerapp_deploy
40+
3641
permissions:
3742
id-token: write
3843
contents: read
@@ -56,9 +61,20 @@ jobs:
5661
run: |
5762
SHA7="$(echo "${GITHUB_SHA}" | cut -c1-7)"
5863
59-
if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
64+
# ✅ ADDED: schedule always deploys PROD from the frozen branch
65+
if [[ "${GITHUB_EVENT_NAME}" == "schedule" ]]; then
66+
DEPLOY_ENV="prod"
67+
REF_TO_BUILD="${{ env.ALLOWED_PROD_BRANCH }}"
68+
69+
elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
6070
DEPLOY_ENV="${{ inputs.target_env }}"
6171
REF_TO_BUILD="${{ inputs.branch }}"
72+
73+
# existing: Freeze PROD to only one branch; fail if any other branch is selected for PROD
74+
if [[ "${DEPLOY_ENV}" == "prod" && "${REF_TO_BUILD}" != "${{ env.ALLOWED_PROD_BRANCH }}" ]]; then
75+
echo "::error title=Blocked prod deployment::Prod deployments are only allowed from '${{ env.ALLOWED_PROD_BRANCH }}'. You selected '${REF_TO_BUILD}'."
76+
exit 1
77+
fi
6278
else
6379
DEPLOY_ENV="staging"
6480
REF_TO_BUILD="${GITHUB_REF_NAME}"
@@ -82,18 +98,22 @@ jobs:
8298
echo "branch_tag=${BRANCH_TAG}" >> "$GITHUB_OUTPUT"
8399
echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
84100
101+
85102
- name: Summary
86103
run: |
87-
{
88-
echo "## Deploy plan"
89-
echo "- **Env:** ${{ steps.vars.outputs.deploy_env }}"
90-
echo "- **Branch:** ${{ steps.vars.outputs.ref_to_build }}"
91-
echo "- **App:** ${{ steps.target.outputs.APP || steps.vars.outputs.app_name }}"
92-
echo "- **RG:** ${{ steps.target.outputs.RG }}"
93-
echo "- **Image:** ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ env.TAG }}"
94-
echo "- **Tag:** ${{ steps.vars.outputs.image_tag }}"
95-
} >> $GITHUB_STEP_SUMMARY
96-
104+
{
105+
echo "## Deploy plan"
106+
echo "- **Trigger:** ${{ github.event_name }}"
107+
echo "- **Env:** ${{ steps.vars.outputs.deploy_env }}"
108+
echo "- **Branch:** ${{ steps.vars.outputs.ref_to_build }}"
109+
echo "- **App:** ${{ steps.vars.outputs.app_name }}"
110+
echo "- **ACR:** ${{ env.ACR_NAME }}"
111+
echo "- **Image:** ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}"
112+
echo "- **Tag (sha7):** ${{ steps.vars.outputs.tag }}"
113+
echo "- **Tag (env):** ${{ steps.vars.outputs.image_tag }}"
114+
} >> "$GITHUB_STEP_SUMMARY"
115+
116+
97117
- name: Checkout code
98118
uses: actions/checkout@v4
99119
with:
@@ -151,7 +171,9 @@ jobs:
151171
id: target
152172
shell: bash
153173
run: |
154-
if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
174+
if [[ "${GITHUB_EVENT_NAME}" == "schedule" ]]; then
175+
ENV="prod"
176+
elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
155177
ENV="${{ inputs.target_env }}"
156178
else
157179
ENV="staging"
@@ -165,6 +187,16 @@ jobs:
165187
echo "RG=${{ env.STAGING_RESOURCE_GROUP }}" >> $GITHUB_OUTPUT
166188
fi
167189
190+
- name: Enforce prod branch freeze
191+
shell: bash
192+
run: |
193+
if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]; then
194+
if [[ "${{ inputs.target_env }}" == "prod" && "${{ needs.build-and-push.outputs.ref_to_build }}" != "${{ env.ALLOWED_PROD_BRANCH }}" ]]; then
195+
echo "::error title=Blocked prod deployment::Prod deployments are only allowed from '${{ env.ALLOWED_PROD_BRANCH }}'."
196+
exit 1
197+
fi
198+
fi
199+
168200
- name: Deploy to Azure Container App
169201
run: |
170202
az containerapp update \

0 commit comments

Comments
 (0)