appwrite · levivannoort · Jun 11, 2026 · Jun 9, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
@@ -6,32 +6,48 @@ on:
         branches:
             - main
 
+concurrency:
+    group: ${{ github.workflow }}
+    cancel-in-progress: false
+
 env:
+    ENVIRONMENT: staging
+    PROJECT: website
+    DECLARATIVE_REPOSITORY: assets-applications
+    REGISTRY_GITHUB: ghcr.io
+    REGISTRY_DOCKERHUB: docker.io
+    IMAGE_NAME: appwrite/website
     TAG: ${{ github.sha }}
-    STACK_FILE: docker/stage.yml
-    REPOSITORY: website
-    REGISTRY_USERNAME: christyjacob4
 
 jobs:
     build:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout the repo
-              uses: actions/checkout@v4
+              uses: actions/checkout@v6
 
-            - name: Login to DockerHub
+            - name: Login to GitHub Container Registry
               uses: docker/login-action@v3
               with:
-                  registry: ghcr.io
+                  registry: ${{ env.REGISTRY_GITHUB }}
                   username: ${{ github.actor }}
                   password: ${{ secrets.GITHUB_TOKEN }}
 
+            - name: Login to Docker Hub
+              uses: docker/login-action@v3
+              with:
+                  registry: ${{ env.REGISTRY_DOCKERHUB }}
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
             - name: Build and push
               uses: docker/build-push-action@v6
               with:
                   context: .
                   push: true
-                  tags: ghcr.io/appwrite/website:${{ env.TAG }}
+                  tags: |
+                      ${{ env.REGISTRY_GITHUB }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+                      ${{ env.REGISTRY_DOCKERHUB }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
                   build-args: |
                       "PUBLIC_APPWRITE_ENDPOINT=${{ vars.PUBLIC_APPWRITE_ENDPOINT }}"
                       "PUBLIC_APPWRITE_DASHBOARD=${{ vars.PUBLIC_APPWRITE_DASHBOARD }}"
@@ -49,48 +65,36 @@ jobs:
                       "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
                       "SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}"
 
-    deploy_kubernetes:
-        strategy:
-            matrix:
-                region: [{ full: fra1, short: fra }]
+    deploy:
         needs: build
         runs-on: ubuntu-latest
         steps:
-            - name: Checkout the repo
-              uses: actions/checkout@v4
-            - name: Install Kubectl
-              uses: azure/setup-kubectl@v4
-            - name: Install Helm
-              uses: azure/setup-helm@v4
-            - name: Install doctl
-              uses: digitalocean/action-doctl@v2
+            - name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
+              id: app-token
+              uses: actions/create-github-app-token@v2
               with:
-                  token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-            - name: Save DigitalOcean kubeconfig with short-lived credentials
-              run: doctl kubernetes cluster kubeconfig save --expiry-seconds 600 assets-${{ matrix.region.full }}-stg
+                  app-id: ${{ vars.DECLARATIVE_DEPLOYMENT_GITHUB_APP_ID }}
+                  private-key: ${{ secrets.DECLARATIVE_DEPLOYMENT_GITHUB_APP_PRIVATE_KEY }}
+                  owner: ${{ github.repository_owner }}
+                  repositories: ${{ env.DECLARATIVE_REPOSITORY }}
 
-            - name: Ensure namespaces exist
-              run: |
-                  kubectl create namespace website --dry-run=client -o yaml | kubectl apply -f -
-
-            - name: Create docker pull secret
-              run: |
-                  kubectl -n website create secret docker-registry ghcr \
-                    --docker-server=ghcr.io \
-                    --docker-username=${{ secrets.GHCR_USERNAME }} \
-                    --docker-password=${{ secrets.GHCR_TOKEN }} \
-                    --docker-email=ci@appwrite.io \
-                    --dry-run=client -o yaml | kubectl apply -f -
+            - name: Checkout ${{ env.DECLARATIVE_REPOSITORY }}
+              uses: actions/checkout@v6
+              with:
+                  repository: ${{ github.repository_owner }}/${{ env.DECLARATIVE_REPOSITORY }}
+                  token: ${{ steps.app-token.outputs.token }}
 
-            - name: Create app secrets
-              run: |
-                  kubectl -n website create secret generic website-secrets \
-                    --from-literal=STATSIG_SERVER_SECRET='${{ secrets.STATSIG_SERVER_SECRET }}' \
-                    --dry-run=client -o yaml | kubectl apply -f -
+            - name: Update image tag
+              run: yq -i '.website.image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
 
-            - name: Deploy
+            - name: Commit and push
               run: |
-                  helm upgrade --install --namespace website website deploy/website/ \
-                    --values deploy/website/environments/staging/${{ matrix.region.full }}.values.yaml \
-                    --set imagePullSecret='ghcr' \
-                    --set version=${{ env.TAG }}
+                  git config user.name "github-actions[bot]"
+                  git config user.email "github-actions[bot]@users.noreply.github.com"
+                  git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
+                  if git diff --cached --quiet; then
+                    echo "No changes to commit"
+                  else
+                    git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
+                    git push
+                  fi