跳至主要内容

Deploy workflow planning

This document closes the planning part of #212. It records the deploy workflow boundaries that should guide the implementation issue #1020. It does not create or modify deploy automation.

Current runbooks

SurfaceExisting sourceCurrent status
Backend staging APIbackend-staging-deploy.mdHas staging API target, GitHub Environment name, approval expectation, Atlas migration step, smoke script, and rollback limits.
Dashboarddashboard-deployment.mdHas Cloudflare Pages staging / production target, artifact contract, production API URL readback, smoke checklist, and rollback readback.
Dev Portaldev-portal/deployment.mdHas Cloudflare Pages manual setup, develop production branch model, preview readback, and rollback checklist for docs hosting only.
Extension packageapps/extension/README.mdHas Chrome Web Store / sideload package checklist and production package readback.
API schema changesservices/api/README.md, atlas-schema-reconciliation.mdAtlas owns schema migrations; API startup must not regain schema DDL ownership.

Decisions

Deploy entrypoints

The first repo-owned deploy workflow should be manual-first:

EnvironmentInitial triggerGateNotes
Backend stagingworkflow_dispatch with a commit SHAGitHub Environment staging-api approvalUse the backend staging runbook and smoke script.
Dashboard stagingworkflow_dispatch with a commit SHADashboard release owner approvalBuild apps/dashboard/dist and deploy to the staging Pages project.
Productionmanual promotion after staging readbackGitHub Environment production approvalDo not connect this to auto-ready or auto-merge.

Release PR automation remains separate. A develop -> main release PR can identify the candidate commit, but deploy must still require explicit environment approval and smoke readback.

GitHub Environments

Deploy implementation should use GitHub Environments for approval and secret scoping:

EnvironmentOwnerRequired approvalSecret / variable scope
staging-apibackend release owneryesstaging database URL, staging smoke token, staging API base URL
staging-dashboarddashboard release owneryesCloudflare Pages deployment credentials and staging project name
production-apibackend release owneryesproduction database URL, production API target, production smoke token
production-dashboarddashboard release owneryesproduction Pages credentials and production project name

Secrets must be configured by maintainers in GitHub / Cloudflare. AI agents may document expected names, but must not invent, rotate, or print secret values.

Migration strategy

Backend deploy must keep the existing Atlas ownership model:

  1. Build the API image from the exact commit SHA selected for deployment.
  2. Run atlas migrate apply --dir file://migrations --url "$ATLAS_DATABASE_URL" before starting the API process, as described by the backend staging runbook and Docker entrypoint.
  3. Capture migration status as applied, noop, or failed.
  4. If migration fails before startup, abort the deploy and keep the previous image serving traffic.
  5. Destructive migrations require a separate maintainer-approved rollback plan and backup before deployment.

The deploy workflow must not hide schema changes in server startup or Cloudflare configuration. Schema changes belong in services/api/migrations/.

Smoke and rollback

Every deploy path needs a readback before promotion:

SurfaceMinimum smoke readbackRollback evidence
Backend APIdeployment SHA, migration status, GET /health, GET /readyz, authenticated GET /api/v1/users/mefailed SHA, restored SHA, migration status, smoke output
Dashboardproduction package readback, login, authenticated routes, streamers, raffles, transactions, settings, network originrolled-back-from SHA, restored SHA, reason, smoke result
Dev Portalhomepage, llms.txt, manifest.json, search, source indexdeployment id / commit SHA, URL readback, checklist result
Extensionproduction package readback, Chrome load-unpacked smoke, Twitch side panel smoke, API origin readbackpackage SHA, submission state, rollback / resubmission note

Smoke failures should stop promotion. Production rollback should prefer the previous known-good artifact or image and then rerun the same smoke checklist.

Implementation issue

Follow-up implementation is tracked in #1020.

#1020 should be an R4 workflow / release PR because it will modify .github/workflows/** and deployment behavior. It should not use auto-ready, and it should include workflow regression coverage for deploy workflow routing.

Explicit non-goals

  • Do not add .github/workflows/deploy.yml in this planning PR.
  • Do not configure GitHub secrets, GitHub Environments, Cloudflare projects, DNS, or database credentials in this PR.
  • Do not combine contract deploy / verify, testnet, or mainnet with the backend / dashboard deploy workflow.
  • Do not make release PR creation automatically deploy production.
  • Do not change Atlas migrations or API startup behavior here.

Acceptance readback for #212

  • Staging / production deploy entrypoints are decided.
  • GitHub Environments and approval gates are documented.
  • Secrets, migration, rollback, and smoke readback responsibilities are documented without exposing secret values.
  • Follow-up implementation issue #1020 exists for the actual deploy workflow.