ci: add GitHub Actions workflows for dev, staging, prod, and pull request environments [no ci]

adrians5j · adrians5j · commit 3ddffc0d88e7 · 2026-03-13T09:31:52.000+01:00
diff --git a/docs/gh-actions-workflows/pullRequest.yml b/docs/gh-actions-workflows/pullRequest.yml
@@ -0,0 +1,92 @@
+name: Pull Requests
+
+on:
+  pull_request:
+    branches: [dev]
+
+jobs:
+  build-test-static:
+    name: Build and run static analysis
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v2
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Run static code analysis.
+      - name: Check code formatting
+        run: yarn format
+
+      - name: ESLint
+        run: yarn lint
+
+  deploy:
+    name: Deploy to PR environment
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    needs: build-test-static
+    runs-on: ubuntu-latest
+    # We use "dev" environment variables here, but, if needed, a separate set of
+    # variables and a separate pull requests-related AWS account can be used too.
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      OPENSEARCH_DOMAIN_NAME: ${{ secrets.DEV_OPENSEARCH_DOMAIN_NAME }}
+      OPENSEARCH_INDEX_PREFIX: pr${{ github.event.pull_request.number }}
+      PULUMI_SECRETS_PROVIDER: ${{ secrets.DEV_PULUMI_SECRETS_PROVIDER }}
+      PULUMI_CONFIG_PASSPHRASE: ${{ secrets.DEV_PULUMI_CONFIG_PASSPHRASE }}
+      WEBINY_PULUMI_BACKEND: ${{ secrets.DEV_WEBINY_PULUMI_BACKEND_PULL_REQUESTS }}
+      WEBINY_PROJECT_ID: ${{ secrets.DEV_WEBINY_PROJECT_ID }}
+      WEBINY_PROJECT_API_KEY: ${{ secrets.DEV_WEBINY_PROJECT_API_KEY }}
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.DEV_AWS_REGION }}
+
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v2
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Deploy to a short-lived environment (will be destroyed once the PR is closed).
+      - name: Deploy core
+        run: yarn webiny deploy core --env pr${{ github.event.pull_request.number }}
+
+      - name: Deploy API
+        run: yarn webiny deploy api --env pr${{ github.event.pull_request.number }}
+
+      - name: Deploy Admin
+        run: yarn webiny deploy admin --env pr${{ github.event.pull_request.number }}
+
+      # Add additional steps if needed. For example, if you have additional E2E
+      # tests done with Cypress (https://www.cypress.io/), you can run them here.
diff --git a/docs/gh-actions-workflows/pullRequestClosed.yml b/docs/gh-actions-workflows/pullRequestClosed.yml
@@ -0,0 +1,51 @@
+name: Pull Requests (Closed)
+
+on:
+  pull_request:
+    branches: [dev]
+    types: [closed]
+
+jobs:
+  destroy-project:
+    name: Destroy project deployed into a short-lived environment
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    env:
+      # This first step ensures we don't run the workflow if the repository is empty.
+      # Feel free to remove this step once your project is pushed to the repository.
+      NODE_OPTIONS: --max_old_space_size=4096
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      OPENSEARCH_DOMAIN_NAME: ${{ secrets.DEV_OPENSEARCH_DOMAIN_NAME }}
+      OPENSEARCH_INDEX_PREFIX: pr${{ github.event.pull_request.number }}
+      PULUMI_SECRETS_PROVIDER: ${{ secrets.DEV_PULUMI_SECRETS_PROVIDER }}
+      PULUMI_CONFIG_PASSPHRASE: ${{ secrets.DEV_PULUMI_CONFIG_PASSPHRASE }}
+      WEBINY_PULUMI_BACKEND: ${{ secrets.DEV_WEBINY_PULUMI_BACKEND_PULL_REQUESTS }}
+      WEBINY_PROJECT_ID: ${{ secrets.DEV_WEBINY_PROJECT_ID }}
+      WEBINY_PROJECT_API_KEY: ${{ secrets.DEV_WEBINY_PROJECT_API_KEY }}
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.DEV_AWS_REGION }}
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v2
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Destroy short-lived environment.
+      - name: Destroy
+        run: yarn webiny destroy --env pr${{ github.event.pull_request.number }} --confirm-destroy-env pr${{ github.event.pull_request.number }} --debug
diff --git a/docs/gh-actions-workflows/pushDev.yml b/docs/gh-actions-workflows/pushDev.yml
@@ -0,0 +1,59 @@
+name: Dev Branch - Push
+
+on:
+  push:
+    branches: [dev]
+
+# Ensures only one deployment to "dev" environment can be in progress at the same time.
+concurrency: dev
+
+jobs:
+  build-test-deploy:
+    name: Build and test
+    runs-on: ubuntu-latest
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      PULUMI_SECRETS_PROVIDER: ${{ secrets.DEV_PULUMI_SECRETS_PROVIDER }}
+      PULUMI_CONFIG_PASSPHRASE: ${{ secrets.DEV_PULUMI_CONFIG_PASSPHRASE }}
+      WEBINY_PULUMI_BACKEND: ${{ secrets.DEV_WEBINY_PULUMI_BACKEND }}
+      WEBINY_PROJECT_ID: ${{ secrets.DEV_WEBINY_PROJECT_ID }}
+      WEBINY_PROJECT_API_KEY: ${{ secrets.DEV_WEBINY_PROJECT_API_KEY }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.DEV_AWS_REGION }}
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v4
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Run static code analysis.
+      - name: Check code formatting
+        run: yarn format
+
+      - name: ESLint
+        run: yarn lint
+
+      - name: Deploy
+        run: yarn webiny deploy --env dev
+
+      # Add additional steps if needed. For example, if you have additional E2E
+      # tests done with Cypress (https://www.cypress.io/), you can run them here.
diff --git a/docs/gh-actions-workflows/pushProd.yml b/docs/gh-actions-workflows/pushProd.yml
@@ -0,0 +1,59 @@
+name: Prod Branch - Push
+
+on:
+  push:
+    branches: [prod]
+
+# Ensures only one deployment to "prod" environment can be in progress at the same time.
+concurrency: prod
+
+jobs:
+  build-test-deploy:
+    name: Build and test
+    runs-on: ubuntu-latest
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
+      AWS_REGION: ${{ secrets.PROD_AWS_REGION }}
+      PULUMI_SECRETS_PROVIDER: ${{ secrets.PROD_PULUMI_SECRETS_PROVIDER }}
+      PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PROD_PULUMI_CONFIG_PASSPHRASE }}
+      WEBINY_PULUMI_BACKEND: ${{ secrets.PROD_WEBINY_PULUMI_BACKEND }}
+      WEBINY_PROJECT_ID: ${{ secrets.PROD_WEBINY_PROJECT_ID }}
+      WEBINY_PROJECT_API_KEY: ${{ secrets.PROD_WEBINY_PROJECT_API_KEY }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.PROD_AWS_REGION }}
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v4
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Run static code analysis.
+      - name: Check code formatting
+        run: yarn format
+
+      - name: ESLint
+        run: yarn lint
+
+      - name: Deploy
+        run: yarn webiny deploy --env prod
+
+      # Add additional steps if needed. For example, if you have additional E2E
+      # tests done with Cypress (https://www.cypress.io/), you can run them here.
diff --git a/docs/gh-actions-workflows/pushStaging.yml b/docs/gh-actions-workflows/pushStaging.yml
@@ -0,0 +1,59 @@
+name: Staging Branch - Push
+
+on:
+  push:
+    branches: [staging]
+
+# Ensures only one deployment to "staging" environment can be in progress at the same time.
+concurrency: staging
+
+jobs:
+  build-test-deploy:
+    name: Build and test
+    runs-on: ubuntu-latest
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
+      AWS_REGION: ${{ secrets.STAGING_AWS_REGION }}
+      PULUMI_SECRETS_PROVIDER: ${{ secrets.STAGING_PULUMI_SECRETS_PROVIDER }}
+      PULUMI_CONFIG_PASSPHRASE: ${{ secrets.STAGING_PULUMI_CONFIG_PASSPHRASE }}
+      WEBINY_PULUMI_BACKEND: ${{ secrets.STAGING_WEBINY_PULUMI_BACKEND }}
+      WEBINY_PROJECT_ID: ${{ secrets.STAGING_WEBINY_PROJECT_ID }}
+      WEBINY_PROJECT_API_KEY: ${{ secrets.STAGING_WEBINY_PROJECT_API_KEY }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.STAGING_AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.STAGING_AWS_REGION }}
+      - uses: actions/setup-node@v2
+        with:
+          node-version: 20
+
+      - uses: actions/checkout@v4
+
+      # Install and cache dependencies.
+      - uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: .yarn/cache
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+
+
+      - name: Install dependencies
+        run: yarn --immutable
+
+      # Run static code analysis.
+      - name: Check code formatting
+        run: yarn format
+
+      - name: ESLint
+        run: yarn lint
+
+      - name: Deploy
+        run: yarn webiny deploy --env staging
+
+      # Add additional steps if needed. For example, if you have additional E2E
+      # tests done with Cypress (https://www.cypress.io/), you can run them here.
