feat: switch to declarative staging-workflow with mirror to dockerhub

[levivannoort]

What does this PR do?

(Provide a description of what this PR does.)

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)

Related PRs and Issues

(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)

Have you read the Contributing Guidelines on issues?

(Write your answer here.)

[appwrite]

Appwrite Website

Project ID: 69d7efb00023389e8d27

Sites (1)

Site	Status	Logs	Preview	QR
website 69d7f2670014e24571ca	Queued	View Logs	Preview URL

Website (appwrite/website)

Project ID: 684969cb000a2f6c0a02

Sites (1)

Site	Status	Logs	Preview	QR
website 68496a17000f03d62013	Queued	View Logs	Preview URL

---

Tip

GraphQL API works alongside REST and WebSocket protocols

[greptile-apps]

Greptile Summary

This PR replaces the imperative Kubernetes/Helm staging deployment (using DigitalOcean doctl + kubectl) with a declarative GitOps approach: it pushes image tags into a dedicated assets-applications config repository via a GitHub App token. It also extends the build step to mirror staging images to Docker Hub in addition to GHCR.

• Declarative deploy: the old deploy_kubernetes job is replaced by a deploy job that checks out assets-applications, patches the image tag in staging/website/fra1.yaml with yq, commits, and pushes — no cluster credentials needed in this workflow.
• Docker Hub mirror: the build job now logs in to both GHCR and docker.io and tags/pushes to both registries simultaneously.
• Concurrency serialisation: a concurrency block (cancel-in-progress: false) is added so rapid pushes to main queue rather than overlap.

Confidence Score: 5/5

Safe to merge — the refactor is well-structured and removes a large surface of cluster credentials from this workflow.

The change is a clean architectural swap: direct cluster management is gone, replaced by a focused GitOps commit. The concurrency group correctly serialises successive pushes to main so the assets-applications repo never receives conflicting commits. yq is confirmed pre-installed on ubuntu-latest runners, and the strenv(TAG) usage is correct. The only actionable finding is an outdated action version, which does not affect correctness or security of the current workflow.

No files require special attention beyond the minor action version noted in the inline comment.

Important Files Changed

Filename	Overview
.github/workflows/staging.yml	Replaces imperative Kubernetes/Helm deploy with a declarative GitOps push to assets-applications, adds Docker Hub push alongside GHCR; uses actions/create-github-app-token@v2 while v3 is latest.

_{Reviews (2): Last reviewed commit: "chore: remove environment" | Re-trigger Greptile}