From aa52b696c84ffe033d4eccb0f8f1df7fd02e91af Mon Sep 17 00:00:00 2001 From: cosmin chauciuc Date: Wed, 10 Jun 2026 07:15:05 +0300 Subject: [PATCH] ci: skip deploy jobs until DEPLOY_ENABLED is set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Release workflow has failed on every main push since it landed: the deploy-staging job runs helm against an empty kubeconfig because no staging cluster (and no KUBE_CONFIG secret) exists yet. Gate deploy-staging and deploy-prod on the repository variable DEPLOY_ENABLED == 'true' so they show as skipped instead of failed, while image build + push to GHCR keeps running. When a cluster exists, enabling deploys is one variable plus the KUBE_CONFIG environment secret — documented in the workflow header and deploy/README.md. Co-Authored-By: Claude Fable 5 --- .github/workflows/release.yml | 11 +++++++---- deploy/README.md | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81f93b1..2cf88c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,9 +6,12 @@ name: Release # required reviewers) # manual -> build only (workflow_dispatch) # -# Required GitHub Environment secrets: +# Deploys are OFF until a cluster exists. To enable, set the repository +# variable DEPLOY_ENABLED=true (Settings -> Secrets and variables -> Actions -> +# Variables) and add the per-environment secret: # staging / production: KUBE_CONFIG (base64-encoded kubeconfig for the cluster) -# Images push to GHCR using the built-in GITHUB_TOKEN (packages: write). +# Until then the deploy jobs are skipped and this workflow only builds + pushes +# images to GHCR (using the built-in GITHUB_TOKEN, packages: write). on: push: @@ -78,7 +81,7 @@ jobs: deploy-staging: name: Deploy to staging needs: images - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' && vars.DEPLOY_ENABLED == 'true' runs-on: ubuntu-latest environment: staging steps: @@ -92,7 +95,7 @@ jobs: deploy-prod: name: Deploy to production needs: images - if: startsWith(github.ref, 'refs/tags/v') + if: startsWith(github.ref, 'refs/tags/v') && vars.DEPLOY_ENABLED == 'true' runs-on: ubuntu-latest environment: production steps: diff --git a/deploy/README.md b/deploy/README.md index 079454d..81fd5f6 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -103,6 +103,7 @@ else comes from the chart defaults plus an optional committed overlay | What | Where | Value | |------|-------|-------| +| `DEPLOY_ENABLED` | Repository **variable** (Actions → Variables) | `true` to enable the deploy jobs; unset/anything else and they are skipped (the workflow still builds + pushes images) | | `KUBE_CONFIG` | Environment secret on **staging** and **production** | base64-encoded kubeconfig for that cluster | | Required reviewers | **production** environment protection rules | who approves prod deploys | | Packages: write | repo default `GITHUB_TOKEN` | already granted in the workflow |