ci: downgrade deploy workflow to dry-run when trial secrets missing #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| mode: | |
| description: 'deploy|dry-run' | |
| type: choice | |
| options: | |
| - deploy | |
| - dry-run | |
| default: 'deploy' | |
| required: true | |
| permissions: | |
| contents: read | |
| deployments: write | |
| jobs: | |
| deploy: | |
| environment: production | |
| runs-on: ubuntu-latest | |
| env: | |
| ENV_BLOB: ${{ secrets.ENV_BLOB || '' }} | |
| ENV_BLOB_OVERRIDE: ${{ secrets.ENV_BLOB_OVERRIDE || '' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Echo workflow inputs | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| run: | | |
| echo "workflow_dispatch inputs.mode=${{ github.event.inputs.mode }}" | |
| - name: Set deployment mode | |
| id: set-mode | |
| run: | | |
| MODE="${{ github.event_name == 'workflow_dispatch' && github.event.inputs.mode || 'deploy' }}" | |
| if [ "$MODE" = "deploy" ] && [ -z "${ENV_BLOB:-}" ]; then | |
| echo "ENV_BLOB secret missing; switching to dry-run mode" | |
| MODE="dry-run" | |
| fi | |
| echo "MODE=$MODE" >> "$GITHUB_ENV" | |
| echo "Deployment mode: $MODE" | |
| - name: Enable Corepack for pnpm | |
| run: corepack enable pnpm | |
| - name: Ensure ENV_BLOB secret exists | |
| if: env.MODE == 'deploy' | |
| run: | | |
| if [ -z "$ENV_BLOB" ]; then | |
| echo "ENV_BLOB secret is required" >&2 | |
| exit 1 | |
| fi | |
| - name: Decode ENV_BLOB to .env.ci | |
| if: env.MODE == 'deploy' | |
| run: | | |
| echo "$ENV_BLOB" | base64 --decode > .env.ci | |
| if [ -n "$ENV_BLOB_OVERRIDE" ]; then | |
| printf '\n' >> .env.ci | |
| echo "$ENV_BLOB_OVERRIDE" | base64 --decode > .env.repo.ci | |
| cat .env.repo.ci >> .env.ci | |
| fi | |
| grep -v '^#' .env.ci | grep -E '^[A-Z0-9_]+=' | sed 's/=.*//' > required.env.keys | |
| - name: Validate deploy env includes benchmark trial secrets | |
| if: env.MODE == 'deploy' | |
| run: | | |
| set -euo pipefail | |
| required=( | |
| STRIPE_SECRET_KEY | |
| SKILLS_TRIAL_EXECUTE_TOKEN | |
| SKILLS_TRIAL_ORCHESTRATOR_URL | |
| SKILLS_TRIAL_ORCHESTRATOR_TOKEN | |
| SKILLS_TRIAL_SMOKE_BENCHMARK_CASE_ID | |
| SKILLS_TRIAL_SMOKE_ORACLE_SKILL_ID | |
| ) | |
| missing=() | |
| for key in "${required[@]}"; do | |
| if ! grep -q "^${key}=" .env.ci; then | |
| missing+=("$key") | |
| fi | |
| done | |
| if [ "${#missing[@]}" -gt 0 ]; then | |
| echo "ENV_BLOB is missing required benchmark trial deploy keys: ${missing[*]}" | |
| echo "Switching workflow MODE to dry-run until required secrets are provisioned." | |
| echo "MODE=dry-run" >> "$GITHUB_ENV" | |
| fi | |
| - name: Export env vars | |
| if: env.MODE == 'deploy' | |
| run: | | |
| set -euo pipefail | |
| while IFS= read -r line; do | |
| line="${line%%$'\r'}" | |
| if [ -z "$line" ]; then | |
| continue | |
| fi | |
| var="${line%%=*}"; value="${line#*=}" | |
| if [ -z "$var" ]; then | |
| echo "Skipping malformed env line: $line" >&2 | |
| continue | |
| fi | |
| trimmed="${value%$'\r'}" | |
| if [ "${trimmed#\"}" != "$trimmed" ] && [ "${trimmed%\"}" != "$trimmed" ]; then | |
| trimmed="${trimmed#\"}" | |
| trimmed="${trimmed%\"}" | |
| elif [ "${trimmed#\'}" != "$trimmed" ] && [ "${trimmed%\'}" != "$trimmed" ]; then | |
| trimmed="${trimmed#\'}" | |
| trimmed="${trimmed%\'}" | |
| fi | |
| echo "::add-mask::$trimmed" | |
| printf '%s=%s\n' "$var" "$trimmed" >> $GITHUB_ENV | |
| done < <(grep -v '^#' .env.ci) | |
| - name: Seed placeholder env for dry-run | |
| if: env.MODE != 'deploy' | |
| run: | | |
| { | |
| echo "PROJECT_ID=ci-placeholder" | |
| echo "PROJECT_DOMAIN=https://ci-placeholder.justevery.test" | |
| echo "CLOUDFLARE_ACCOUNT_ID=0123456789abcdef0123456789abcdef" | |
| echo "CLOUDFLARE_API_TOKEN=dummyAccountTokenForCiDryRun1234567" | |
| echo "CLOUDFLARE_ZONE_ID=placeholder-zone" | |
| echo "D1_DATABASE_NAME=ci-placeholder-d1" | |
| echo "D1_DATABASE_ID=placeholder-d1-id" | |
| echo "CLOUDFLARE_R2_BUCKET=ci-placeholder-assets" | |
| echo "STRIPE_SECRET_KEY=sk_test_placeholder" | |
| echo "STRIPE_WEBHOOK_SECRET=whsec_placeholder" | |
| echo "BETTER_AUTH_URL=https://auth-placeholder.justevery.test" | |
| echo "LOGIN_ORIGIN=https://login-placeholder.justevery.test" | |
| echo "SESSION_COOKIE_DOMAIN=.placeholder.test" | |
| echo "STRIPE_PRODUCTS=Placeholder:1000,usd,month" | |
| echo "BILLING_CHECKOUT_TOKEN=placeholder-checkout-token" | |
| } > .env.ci | |
| while IFS= read -r line; do | |
| var="${line%%=*}" | |
| value="${line#*=}" | |
| printf '%s=%s\n' "$var" "$value" >> $GITHUB_ENV | |
| done < .env.ci | |
| - uses: actions/setup-node@v4 | |
| if: env.MODE == 'deploy' | |
| with: | |
| node-version: 20 | |
| cache: 'pnpm' | |
| - uses: actions/setup-node@v4 | |
| if: env.MODE != 'deploy' | |
| with: | |
| node-version: 20 | |
| - name: Sync Font Awesome registry token | |
| if: env.MODE == 'deploy' | |
| run: node scripts/sync-fontawesome-token.mjs | |
| - name: Install dependencies | |
| if: env.MODE == 'deploy' | |
| run: pnpm install --frozen-lockfile | |
| - name: Run unified deploy script | |
| if: env.MODE == 'deploy' | |
| env: | |
| DEPLOY_MODE: ${{ env.MODE }} | |
| EXPO_NO_INTERACTIVE: '1' | |
| run: | | |
| scripts/deploy.sh --mode "$DEPLOY_MODE" | |
| - name: Dry-run notice | |
| if: env.MODE != 'deploy' | |
| run: | | |
| echo "ENV_BLOB secret is unavailable; dry-run mode skips full deployment steps." | |
| - name: Upload deployment artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: deploy-${{ github.run_id }} | |
| path: | | |
| workers/api/wrangler.toml | |
| test-results/** | |
| if-no-files-found: ignore |