Build images once, push to both ghcr.io and ACR

- docker.yml: push to ACR after ghcr.io build (gated on AZURE_CREDENTIALS)
- deploy.yml: trigger after docker.yml completes instead of building again
- Removes duplicate image builds between workflows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: johnmathews

.github/workflows/deploy.yml

@@ -1,23 +1,19 @@
 name: Deploy to AKS
 
 on:
-  push:
+  workflow_run:
+    workflows: ["Build and Push Docker Images"]
     branches: [main]
-    paths:
-      - "src/**"
-      - "k8s/**"
+    types: [completed]
   workflow_dispatch:
 
 concurrency:
   group: deploy-aks
   cancel-in-progress: false
 
 jobs:
-  ci:
-    uses: ./.github/workflows/ci.yml
-
-  build-and-deploy:
-    needs: ci
+  deploy:
+    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     environment: production
 
@@ -29,22 +25,6 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
 
-      - name: Build and push gateway image to ACR
-        run: |
-          az acr build \
-            -r acrdocumentstream \
-            -t gateway:${{ github.sha }} \
-            -t gateway:latest \
-            -f src/gateway/Dockerfile .
-
-      - name: Build and push worker image to ACR
-        run: |
-          az acr build \
-            -r acrdocumentstream \
-            -t worker:${{ github.sha }} \
-            -t worker:latest \
-            -f src/worker/Dockerfile .
-
       - name: Set AKS context
         run: |
           az aks get-credentials \
@@ -57,20 +37,21 @@ jobs:
 
       - name: Update deployment image tags
         run: |
+          SHA=${{ github.event.workflow_run.head_sha || github.sha }}
           kubectl set image deployment/gateway \
-            gateway=acrdocumentstream.azurecr.io/gateway:${{ github.sha }} \
+            gateway=acrdocumentstream.azurecr.io/gateway:${SHA} \
             -n documentstream
 
           kubectl set image deployment/extract-worker \
-            extract-worker=acrdocumentstream.azurecr.io/worker:${{ github.sha }} \
+            extract-worker=acrdocumentstream.azurecr.io/worker:${SHA} \
             -n documentstream
 
           kubectl set image deployment/classify-worker \
-            classify-worker=acrdocumentstream.azurecr.io/worker:${{ github.sha }} \
+            classify-worker=acrdocumentstream.azurecr.io/worker:${SHA} \
             -n documentstream
 
           kubectl set image deployment/store-worker \
-            store-worker=acrdocumentstream.azurecr.io/worker:${{ github.sha }} \
+            store-worker=acrdocumentstream.azurecr.io/worker:${SHA} \
             -n documentstream
 
       - name: Wait for rollouts

.github/workflows/docker.yml

@@ -27,6 +27,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to ACR
+        if: secrets.AZURE_CREDENTIALS != ''
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Log in to ACR registry
+        if: secrets.AZURE_CREDENTIALS != ''
+        run: az acr login -n acrdocumentstream
+
       - uses: docker/build-push-action@v6
         with:
           context: .
@@ -35,3 +45,13 @@ jobs:
           tags: |
             ghcr.io/johnmathews/documentstream-${{ matrix.image }}:latest
             ghcr.io/johnmathews/documentstream-${{ matrix.image }}:${{ github.sha }}
+
+      - name: Push to ACR
+        if: secrets.AZURE_CREDENTIALS != ''
+        run: |
+          docker tag ghcr.io/johnmathews/documentstream-${{ matrix.image }}:${{ github.sha }} \
+            acrdocumentstream.azurecr.io/${{ matrix.image }}:${{ github.sha }}
+          docker tag ghcr.io/johnmathews/documentstream-${{ matrix.image }}:${{ github.sha }} \
+            acrdocumentstream.azurecr.io/${{ matrix.image }}:latest
+          docker push acrdocumentstream.azurecr.io/${{ matrix.image }}:${{ github.sha }}
+          docker push acrdocumentstream.azurecr.io/${{ matrix.image }}:latest