groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: remove 'Update Infra Image Tags' deploy job

Browse Source 
The deploy job required INFRA_DEPLOY_TOKEN (a GitHub PAT) stored as a
repo secret, which violates the board directive against storing tokens
in repo secrets. Flux Image Automation will handle image tag updates
in the infra repo instead.

Fixes #72

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Groom Book CTO
2026-03-19 21:09:11 +00:00
parent 5b52c07219
commit 095c2c80e5
1 changed files with 0 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
-45
View File
@@ -115,8 +115,6 @@ jobs:
permissions: permissions:
contents: read contents: read
packages: write packages: write
outputs:
version: ${{ steps.version.outputs.tag }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -187,46 +185,3 @@ jobs:
ghcr.io/groombook/web:latest ghcr.io/groombook/web:latest
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
deploy:
name: Update Infra Image Tags
runs-on: ubuntu-latest
needs: [docker]
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout infra repo
uses: actions/checkout@v4
with:
repository: groombook/infra
token: ${{ secrets.INFRA_DEPLOY_TOKEN }}
path: infra
- name: Update image tags
env:
VERSION: ${{ needs.docker.outputs.version }}
run: |
cd infra
# Match any existing version tag (CalVer YYYY.MM.DD-sha or legacy 40-char SHA)
TAG_PATTERN='[0-9a-z][0-9a-z._-]*'
sed -i "s|ghcr.io/groombook/api:${TAG_PATTERN}|ghcr.io/groombook/api:${VERSION}|g" apps/groombook/api.yaml
sed -i "s|ghcr.io/groombook/web:${TAG_PATTERN}|ghcr.io/groombook/web:${VERSION}|g" apps/groombook/web.yaml
sed -i "s|ghcr.io/groombook/migrate:${TAG_PATTERN}|ghcr.io/groombook/migrate:${VERSION}|g" apps/groombook/migrate-job.yaml
sed -i "s|ghcr.io/groombook/seed:${TAG_PATTERN}|ghcr.io/groombook/seed:${VERSION}|g" apps/groombook/seed-job.yaml
sed -i "s|groombook.dev/image-version: \".*\"|groombook.dev/image-version: \"${VERSION}\"|g" apps/groombook/api.yaml apps/groombook/web.yaml
- name: Commit and push
env:
VERSION: ${{ needs.docker.outputs.version }}
run: |
cd infra
git config user.name "groombook-ci[bot]"
git config user.email "ci@groombook.dev"
if git diff --quiet; then
echo "No changes to commit"
exit 0
fi
git add -A
git commit -m "deploy: update images to v${VERSION}
Source: https://github.com/groombook/groombook/commit/${GITHUB_SHA}"
git push