uhstray-io · JacobHaig · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md
@@ -2,3 +2,4 @@
 
 - [No co-authors in commits](feedback-no-coauthors.md) — never add Co-Authored-By trailers to commit messages
 - [agent-cloud deployment](project-agent-cloud-deployment.md) — WisBot deploys via agent-cloud as a pulled image; secrets in OpenBao, site values in site-config
+- [CodeRabbit PR workflow](feedback-coderabbit-pr-workflow.md) — all merges go through a PR; merge only when CodeRabbit fully passes; resolve findings + re-review first
diff --git a/.claude/memory/feedback-coderabbit-pr-workflow.md b/.claude/memory/feedback-coderabbit-pr-workflow.md
@@ -0,0 +1,13 @@
+---
+name: feedback-coderabbit-pr-workflow
+description: All code merges go through a PR validated by CodeRabbit before merge
+metadata:
+  node_type: memory
+  type: feedback
+---
+
+Never merge code straight to `main`. Every change ships via a **pull request** so **CodeRabbit** can review it. Merge **only when validation fully passes**. If CodeRabbit raises an issue, **resolve it and let CodeRabbit re-review** (push the fix, wait for the new review) **before merging** — don't merge over unresolved findings.
+
+**Why:** CodeRabbit review on PRs is the team's validation gate; merging without it (or over open findings) skips the safety check the user relies on.
+
+**How to apply:** branch from `main` → implement → push → open PR (`gh pr create`) → wait for **all** checks (CodeRabbit + CI) → if findings, fix + push + wait for re-review → only merge once approved/green. Squash-merge + delete branch is the user's chosen merge style. Phased work = one branch/PR per phase. Related: [[feedback-no-coauthors]], [[project-agent-cloud-deployment]].
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -0,0 +1,54 @@
+name: Build and Publish
+
+# Builds the Docker image and pushes it to GHCR on merge to main and on version
+# tags. Deployment itself is handled by the agent-cloud platform (pulls this image).
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  workflow_dispatch:
+
+env:
+  IMAGE: ghcr.io/uhstray-io/wisbot
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Image metadata
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,format=short
+            type=semver,pattern={{version}}
+
+      - name: Build and push
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/deployment_prod.yml b/.github/workflows/deployment_prod.yml
diff --git a/.github/workflows/deployment_refresh_prod.yml b/.github/workflows/deployment_refresh_prod.yml
diff --git a/.github/workflows/shutdown.yml b/.github/workflows/shutdown.yml
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -15,9 +15,9 @@ No test framework or linter is configured.
 
 ## Deployment
 
-A multi-stage `Dockerfile` builds a Linux image (`dotnet/runtime:10.0` base). Voice natives: `libsodium` + SQLite ship cross-platform via NuGet; `opus` is installed in the image via `apt` (`libopus0`, symlinked to the unversioned name `DllImport("opus")` probes). Config (token, guild ID, paths) is supplied at runtime via env / an env file — never baked into the image. `docker-build.yml` validates the image builds on every PR.
+A multi-stage `Dockerfile` builds a Linux image (`dotnet/runtime:10.0` base). Voice natives: `libsodium` + SQLite ship cross-platform via NuGet; `opus` is installed in the image via `apt` (`libopus0`, symlinked to the unversioned name `DllImport("opus")` probes). Config (token, guild ID, paths) is supplied at runtime via env / an env file — never baked into the image.
 
-Deployment is being migrated to the **agent-cloud** platform (pull image → Ansible-templated `.env` → Semaphore), replacing the legacy self-hosted-runner workflows. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`.
+CI: `docker-build.yml` validates the image builds on every PR; `build-and-publish.yml` builds and pushes to `ghcr.io/uhstray-io/wisbot` on merge to `main` and on `v*` tags. The image is then deployed by the **agent-cloud** platform (pull image → Ansible-templated `.env` from OpenBao + site-config → Semaphore). The legacy self-hosted-runner deploy workflows have been removed; `deploy-o11y.yml` remains pending migration to agent-cloud's o11y service. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`.
 
 ## Architecture
 

diff --git a/README.md b/README.md
@@ -48,4 +48,8 @@ While the bot is running, type these in the console:
 
 ## Deployment
 
-Production runs on a self-hosted runner via GitHub Actions. Trigger manually with `workflow_dispatch` in `.github/workflows/deployment_prod.yml`. The bot token is supplied via the `DISCORD_TOKEN_WISBOT` repository secret.
+WisBot ships as a Docker image. On merge to `main` (and on `v*` tags), `.github/workflows/build-and-publish.yml` builds the image and publishes it to `ghcr.io/uhstray-io/wisbot`. `.github/workflows/docker-build.yml` validates the image builds on every PR.
+
+The image is deployed by the **agent-cloud** platform — it pulls the published image and supplies configuration (Discord token, guild ID, endpoints) via an Ansible-templated `.env` from OpenBao + site-config, orchestrated through Semaphore. Nothing site-specific is baked into the image. See `docs/plans/2026-06-01-agent-cloud-deployment-alignment.md`.
+
+> The legacy self-hosted-runner deploy workflows have been removed in favor of this model. (`deploy-o11y.yml` remains for now; migrating observability to agent-cloud's o11y service is a tracked follow-up.)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,3 +2,4 @@

		- [No co-authors in commits](feedback-no-coauthors.md) — never add Co-Authored-By trailers to commit messages
		- [agent-cloud deployment](project-agent-cloud-deployment.md) — WisBot deploys via agent-cloud as a pulled image; secrets in OpenBao, site values in site-config
		- [CodeRabbit PR workflow](feedback-coderabbit-pr-workflow.md) — all merges go through a PR; merge only when CodeRabbit fully passes; resolve findings + re-review first