ci: staged deployment — push to main→staging, git tag→prod

- Push to main builds ARM64 image and deploys to docfast-staging namespace - Push a version tag (v*) promotes latest image to docfast namespace (prod) - Both use same deployer SA with namespace-scoped RBAC
2026-02-18 12:40:00 +00:00 · 2026-02-18 12:40:00 +00:00 · 02b2408772
commit 02b2408772
parent 681745f08f
2 changed files with 60 additions and 7 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -1,12 +1,12 @@
-name: Build & Deploy to K3s
+name: Build & Deploy to Staging

 on:
  push:
    branches: [ main ]

 jobs:
-  build-and-deploy:
-    name: Build & Deploy
+  build-and-stage:
+    name: Build & Deploy to Staging
    runs-on: ubuntu-latest

    steps:
@ -36,7 +36,7 @@ jobs:
          git.cloonar.com/openclawd/docfast:${{ github.sha }}
        platforms: linux/arm64

-    - name: Deploy to K3s
+    - name: Deploy to Staging
      run: |
        curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
        chmod +x kubectl
@ -45,9 +45,9 @@ jobs:

        ./kubectl set image deployment/docfast \
          docfast=git.cloonar.com/openclawd/docfast:${{ github.sha }} \
-          -n docfast --kubeconfig=/tmp/kubeconfig.yaml
+          -n docfast-staging --kubeconfig=/tmp/kubeconfig.yaml

        ./kubectl rollout status deployment/docfast \
-          -n docfast --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
+          -n docfast-staging --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s

-        echo "✅ Deploy complete!"
+        echo "✅ Staging deploy complete!"
--- a/.forgejo/workflows/promote.yml
+++ b/.forgejo/workflows/promote.yml
@ -0,0 +1,53 @@
+name: Promote to Production
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  promote:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Install kubectl
+      run: |
+        curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        chmod +x kubectl
+
+    - name: Get image from tag
+      id: image
+      run: |
+        # Tag format: v0.2.1 or v0.2.1-rc1
+        # The staging pipeline already pushed the image with the commit SHA
+        # We retag with the version tag for traceability
+        echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+
+    - name: Login to Forgejo Registry
+      uses: docker/login-action@v3
+      with:
+        registry: git.cloonar.com
+        username: openclawd
+        password: ${{ secrets.REGISTRY_TOKEN }}
+
+    - name: Retag image for production
+      run: |
+        # Pull latest staging image and tag with version
+        docker pull --platform linux/arm64 git.cloonar.com/openclawd/docfast:latest
+        docker tag git.cloonar.com/openclawd/docfast:latest \
+          git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+        docker push git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }}
+
+    - name: Deploy to Production
+      run: |
+        echo "${{ secrets.KUBECONFIG }}" | base64 -d > /tmp/kubeconfig.yaml
+
+        ./kubectl set image deployment/docfast \
+          docfast=git.cloonar.com/openclawd/docfast:${{ steps.image.outputs.tag }} \
+          -n docfast --kubeconfig=/tmp/kubeconfig.yaml
+
+        ./kubectl rollout status deployment/docfast \
+          -n docfast --kubeconfig=/tmp/kubeconfig.yaml --timeout=180s
+
+        echo "✅ Production deploy complete! Version: ${{ steps.image.outputs.tag }}"