fix(ci-cd): split release workflows (#1752)

tyler-dane · web-flow · commit 0abd991596cd · 2026-05-13T13:26:15.000-07:00
diff --git a/.github/workflows/bump-and-tag.yml b/.github/workflows/bump-and-tag.yml
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -0,0 +1,38 @@
+name: Deploy staging
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Release tag being deployed, such as v1.2.3'
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag being deployed, such as v1.2.3'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy staging
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Deploy release to staging
+        env:
+          RELEASE_TAG: ${{ inputs.tag }}
+          SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
+          SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
+          SSH_USER: ${{ secrets.STAGING_SSH_USER }}
+        run: |
+          echo "Deploying Compass ${RELEASE_TAG} to staging"
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/staging_key
+          chmod 600 ~/.ssh/staging_key
+          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts
+          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && ./compass update"
diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml
@@ -7,7 +7,13 @@ on:
   workflow_call:
     inputs:
       tag:
-        description: 'Semver tag to build (e.g. v1.2.3)'
+        description: 'Semver tag to build, such as v1.2.3'
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Semver tag to build, such as v1.2.3'
         required: true
         type: string
 
@@ -16,22 +22,29 @@ permissions:
 
 jobs:
   publish:
+    name: Publish Docker images
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check out repository
+      - name: Check out release tag
         uses: actions/checkout@v6
         with:
           ref: ${{ inputs.tag || github.ref }}
 
-      - name: Derive semver tags from git tag
+      - name: Derive Docker image tags
         id: version
         run: |
-          TAG="${{ inputs.tag || github.ref_name }}"  # e.g. v1.2.3
-          VERSION="${TAG#v}"                           # 1.2.3
-          MINOR="${VERSION%.*}"                        # 1.2
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "minor=${MINOR}"    >> "$GITHUB_OUTPUT"
+          release_tag="${{ inputs.tag || github.ref_name }}"
+          image_version="${release_tag#v}"
+          minor_tag="${image_version%.*}"
+
+          echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+          echo "image_version=${image_version}" >> "$GITHUB_OUTPUT"
+          echo "minor_tag=${minor_tag}" >> "$GITHUB_OUTPUT"
+
+          echo "Release tag: ${release_tag}"
+          echo "Image version: ${image_version}"
+          echo "Minor tag: ${minor_tag}"
 
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
@@ -49,8 +62,8 @@ jobs:
           file: self-host/Dockerfile.backend
           push: true
           tags: |
-            switchbacktech/compass-backend:${{ steps.version.outputs.version }}
-            switchbacktech/compass-backend:${{ steps.version.outputs.minor }}
+            switchbacktech/compass-backend:${{ steps.version.outputs.image_version }}
+            switchbacktech/compass-backend:${{ steps.version.outputs.minor_tag }}
             switchbacktech/compass-backend:latest
 
       - name: Build and push compass-mongo
@@ -60,8 +73,8 @@ jobs:
           file: self-host/Dockerfile.mongo
           push: true
           tags: |
-            switchbacktech/compass-mongo:${{ steps.version.outputs.version }}
-            switchbacktech/compass-mongo:${{ steps.version.outputs.minor }}
+            switchbacktech/compass-mongo:${{ steps.version.outputs.image_version }}
+            switchbacktech/compass-mongo:${{ steps.version.outputs.minor_tag }}
             switchbacktech/compass-mongo:latest
 
       - name: Build and push compass-web
@@ -77,25 +90,8 @@ jobs:
           build-args: |
             BASEURL=http://localhost:3000/api
             GOOGLE_CLIENT_ID=compass-self-host-placeholder.apps.googleusercontent.com
-            COMPASS_BUILD_REF=${{ steps.version.outputs.version }}
+            COMPASS_BUILD_REF=${{ steps.version.outputs.image_version }}
           tags: |
-            switchbacktech/compass-web:${{ steps.version.outputs.version }}
-            switchbacktech/compass-web:${{ steps.version.outputs.minor }}
+            switchbacktech/compass-web:${{ steps.version.outputs.image_version }}
+            switchbacktech/compass-web:${{ steps.version.outputs.minor_tag }}
             switchbacktech/compass-web:latest
-
-  deploy-staging:
-    needs: publish
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Deploy to staging
-        env:
-          SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
-          SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
-          SSH_USER: ${{ secrets.STAGING_SSH_USER }}
-        run: |
-          mkdir -p ~/.ssh
-          echo "$SSH_KEY" > ~/.ssh/staging_key
-          chmod 600 ~/.ssh/staging_key
-          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts
-          ssh -i ~/.ssh/staging_key "$SSH_USER@$SSH_HOST" "cd ~/compass && ./compass update"
diff --git a/.github/workflows/release-on-main.yml b/.github/workflows/release-on-main.yml
@@ -0,0 +1,74 @@
+name: Release on main
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  tag-release:
+    name: Tag release
+    runs-on: ubuntu-latest
+    outputs:
+      release_tag: ${{ steps.tag.outputs.release_tag }}
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Bump patch version and push tag
+        id: tag
+        run: |
+          set -euo pipefail
+
+          max_attempts=5
+
+          for attempt in $(seq 1 "$max_attempts"); do
+            git fetch --force --tags origin
+
+            latest=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true)
+            [ -z "$latest" ] && latest="v0.0.0"
+
+            version="${latest#v}"
+            major="${version%%.*}"
+            rest="${version#*.}"
+            minor="${rest%%.*}"
+            patch="${rest#*.}"
+            release_tag="v${major}.${minor}.$((patch + 1))"
+
+            echo "Attempt ${attempt}/${max_attempts}: bumping ${latest} -> ${release_tag}"
+
+            if git tag "$release_tag" && git push origin "$release_tag"; then
+              echo "release_tag=${release_tag}" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            git tag -d "$release_tag" >/dev/null 2>&1 || true
+            sleep "$attempt"
+          done
+
+          echo "Could not push a unique release tag after ${max_attempts} attempts." >&2
+          exit 1
+
+  publish-docker-images:
+    name: Publish Docker images
+    needs: tag-release
+    uses: ./.github/workflows/publish-docker-images.yml
+    with:
+      tag: ${{ needs.tag-release.outputs.release_tag }}
+    secrets: inherit
+
+  deploy-staging:
+    name: Deploy staging
+    needs:
+      - tag-release
+      - publish-docker-images
+    uses: ./.github/workflows/deploy-staging.yml
+    with:
+      tag: ${{ needs.tag-release.outputs.release_tag }}
+    secrets: inherit
diff --git a/docs/CI-CD/versioning.md b/docs/CI-CD/versioning.md
@@ -6,7 +6,7 @@ Compass uses two complementary version identifiers.
 
 Format: `v{MAJOR}.{MINOR}.{PATCH}` — e.g. `v0.5.4`
 
-- Bumped automatically on every merge to `main` (patch) by `bump-and-tag.yml`
+- Bumped automatically on every merge to `main` (patch) by `release-on-main.yml`
 - Minor/major bumps are manual: push a tag like `v0.6.0` directly
 - Used to tag Docker images on Docker Hub (`switchbacktech/compass-web:0.5.4`, `:0.5`, `:latest`)
 
@@ -22,10 +22,12 @@ A string baked into the web bundle at build time by `packages/web/build.ts` and
 
 ### How it flows in CI
 
-1. `bump-and-tag.yml` pushes `v0.5.4`
-2. `publish-images.yml` fires, sets `COMPASS_BUILD_REF=0.5.4` as a Docker build arg
-3. `build.ts` reads `COMPASS_BUILD_REF`, sets `BUILD_VERSION = "0.5.4"`
-4. Bundle and `version.json` both contain `"0.5.4"`
+1. `release-on-main.yml` pushes `v0.5.4` from its `tag-release` job.
+2. `release-on-main.yml` calls `publish-docker-images.yml` with `tag=v0.5.4`.
+3. `publish-docker-images.yml` sets `COMPASS_BUILD_REF=0.5.4` as a Docker build arg.
+4. `build.ts` reads `COMPASS_BUILD_REF`, sets `BUILD_VERSION = "0.5.4"`.
+5. Bundle and `version.json` both contain `"0.5.4"`.
+6. `release-on-main.yml` calls `deploy-staging.yml` after Docker publishing succeeds.
 
 ### Adding a new build context
 
diff --git a/docs/CI-CD/workflows.md b/docs/CI-CD/workflows.md
@@ -6,8 +6,9 @@ Compass uses GitHub Actions for continuous integration, Docker Hub for image dis
 |---|---|---|
 | Test | Push / PR to `main` | Runs lint, type-check, and unit tests |
 | CodeQL | Push / PR to `main` | Static security analysis |
-| Bump version and tag | Push to `main` | Auto-increments patch version, pushes a new semver tag |
-| Publish Docker images | Push a `v*.*.*` tag | Builds images, pushes to Docker Hub, deploys to staging |
+| Release on main | Push to `main` | Auto-increments patch version, publishes Docker images, then deploys staging |
+| Publish Docker images | Reusable workflow / manual dispatch / manual `v*.*.*` tag push | Builds and pushes Docker images only |
+| Deploy staging | Reusable workflow / manual dispatch | Pulls published images on staging and restarts the stack |
 | Sync docs to compass-docs | Push to `main` touching `docs/**` | Mirrors this `docs/` directory to docs.compasscalendar.com |
 
 ---
@@ -18,12 +19,20 @@ Every PR merge to `main` triggers a fully automated chain:
 
 ```
 PR merged to main
-  └─► bump-and-tag.yml        — reads latest tag, pushes v1.2.X+1
-        └─► publish-images.yml — builds & pushes images to Docker Hub
-              └─► deploy-staging  — SSHes into VPS, runs ./compass update
+  └─► release-on-main.yml
+        ├─► tag-release             — reads latest tag, pushes v1.2.X+1
+        ├─► publish-docker-images   — builds and pushes Docker Hub images
+        └─► deploy-staging          — SSHes into VPS, runs ./compass update
 ```
 
-**Monthly minor/major releases** remain manual: a maintainer pushes a tag like `v1.3.0` or `v2.0.0`, which skips the bump step and goes straight to publish + deploy.
+The automatic path calls reusable workflows directly. It uses `GITHUB_TOKEN` to
+push the git tag, then passes that tag to the publish and deploy workflows. It
+does not rely on the workflow-created tag push to trigger another workflow.
+
+**Monthly minor/major releases** remain manual: a maintainer pushes a tag like
+`v1.3.0` or `v2.0.0`, which skips the bump step and runs
+`Publish Docker images`. Staging deploys for manual tags are explicit: run
+`Deploy staging` with the existing tag after the images are published.
 
 ### Removing a test tag
 
@@ -36,11 +45,12 @@ git tag -d v1.2.3
 
 ## Publish Docker Images
 
-Source: [`.github/workflows/publish-images.yml`](../../.github/workflows/publish-images.yml)
+Source: [`.github/workflows/publish-docker-images.yml`](../../.github/workflows/publish-docker-images.yml)
 
 ### How it works
 
-1. A semver tag matching `v[0-9]+.[0-9]+.[0-9]+` is pushed (either by `bump-and-tag.yml` or manually).
+1. A semver tag is provided by `release-on-main.yml`, by manual workflow dispatch,
+   or by a manually pushed tag matching `v[0-9]+.[0-9]+.[0-9]+`.
 2. The workflow strips the `v` prefix and derives two tag aliases:
    - `1.2.3` — exact patch version
    - `1.2` — floating minor alias
@@ -49,27 +59,33 @@ Source: [`.github/workflows/publish-images.yml`](../../.github/workflows/publish
    - `switchbacktech/compass-mongo`
    - `switchbacktech/compass-web`
 4. Each image gets all three tags: `1.2.3`, `1.2`, and `latest`.
-5. After all images are pushed, the `deploy-staging` job runs.
 
 ### Tag pattern rules
 
-Only clean semver tags trigger the workflow. Tags with suffixes (e.g. `v1.2.3-test`) do not match and are safe to push for local testing without triggering a deploy.
+Only clean semver tags trigger this workflow from a tag push. Tags with suffixes
+(e.g. `v1.2.3-test`) do not match and are safe to push for local testing without
+publishing images.
 
 ---
 
 ## Staging Deploy
 
-Source: `deploy-staging` job in [`.github/workflows/publish-images.yml`](../../.github/workflows/publish-images.yml)
+Source: [`.github/workflows/deploy-staging.yml`](../../.github/workflows/deploy-staging.yml)
+
+The deploy workflow SSHes into the staging VPS and runs `./compass update`,
+which pulls the Docker Hub image tag configured by the staging `.env` file and
+restarts the stack. The workflow accepts a release tag input so the Actions logs
+show which release triggered or motivated the deploy.
 
-The deploy job SSHes into the staging VPS and runs `./compass update`, which pulls the latest Docker Hub images and restarts the stack.
+Manual staging redeploys do not rebuild images. Run `Deploy staging` with an
+existing tag after confirming the desired image tags already exist on Docker Hub.
 
 ### Required secrets
 
 All secrets go in **GitHub → Settings → Secrets and variables → Actions**:
 
 | Secret | Value |
 |---|---|
-| `COMPASS_CI_TOKEN` | Fine-grained PAT needed for the bump and tag workflow |
 | `DOCKERHUB_USERNAME` | Docker Hub username for the `switchbacktech` org |
 | `DOCKERHUB_TOKEN` | Docker Hub personal access token (Read & Write) |
 | `STAGING_SSH_HOST` | VPS IP address or hostname |
