GitHub Environments deploying staging on tag push fails
I am trying to deploy infrastructure as code from main branch on multiple environments with GitHub environments. I want to deploy whenever there is merge/push to main in development env, but when there is a tag on the commit like r2022-09-07 deploy the code on a staging env. but it fails every time due to the protection rule.
This is the error I get when the code needs to be deployed on staging:
This is the ci.yml workflow I have for deploying on multiple env from main branch using GitHub env.
name: Lint, Compile and Deploy
on:
push:
branches: [main]
tags:
- 'r*'
pull_request:
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: install deps
run: yarn --frozen-lockfile
- run: yarn lint
- run: yarn prettier
- run: yarn compile
- run: yarn synth
- run: yarn test
# CD: ci -> dev -> staging -> production
## only deploy to dev from main branch
deploy-dev:
if: ${{ github.ref_name == 'main' }}
needs: ci
runs-on: ubuntu-latest
environment:
name: Dev
url: https://...
env:
STACK: ...
AAD_TENANT: ...
ARM_TENANT_ID: ...
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
steps:
- uses: actions/checkout@v3
- run: yarn --frozen-lockfile --production
- run: |
az login --service-principal --tenant $AAD_TENANT \
--username "${{ secrets.AZURE_CLIENT_ID }}" --password "${{ secrets.AZURE_CLIENT_SECRET }}"
yarn deploy $STACK --auto-approve
## deploy to staging only from main branch, if a commit has a tag starting with `r` (for ex. r2022-09-07)
deploy-staging:
if: ${{ startsWith(github.ref, 'refs/tags/r') }}
runs-on: ubuntu-latest
environment:
name: Staging
URL: ....
env:
STACK: ...
AAD_TENANT: ...
ARM_TENANT_ID: ...
ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
steps:
- uses: actions/checkout@v3
- run: yarn --frozen-lockfile --production
- run: |
az login --service-principal --tenant $AAD_TENANT \
--username "${{ secrets.AZURE_CLIENT_ID }}" --password "${{ secrets.AZURE_CLIENT_SECRET }}"
yarn deploy $STACK --auto-approve
Staging env protection rules configs:
I was following the official GitHub docs but didn't find anything specific for this case, any idea what should be fixed in the above yaml?
Based on your last screenshot, push events on the main branch are going to be permitted to use the Staging environment.
I've been playing around with Environments too and had my own question, which lead me to yours!
My suggestion would be to remove branch protections and then use workflow logic to call the specific Environment:
on:
push:
branches: [main]
tags:
- 'r*'
pull_request:
jobs:
ci:
if: startsWith(github.ref_name, 'r*') || github.ref_name == 'main'
runs-on: ubuntu-latest
environment: Staging
steps:
...
Edit based on comments made by OP on 10/12/2022
If you want to deploy to dev when you only push to main:
on:
push:
branches: [main]
jobs:
ci-dev-only:
if: github.ref_name == main
runs-on: ubuntu-latest
environment: dev
steps:
...
ci-staging:
if: github.ref_type == tag
runs-on: ubuntu-latest
environment: staging
steps:
...
ci-prod:
if: github.ref_type == tag && startsWith(github.ref_name, 'r*')
runs-on: ubuntu-latest
environment: prod
steps:
...
Keep in mind that tags are branch agnostic. You can't pin them on a branch.
That all being said, I think releasing to dev from your main branch is an anti-pattern. While there are some use cases that use main as a development branch, deployments to dev should be done in a branch. The reason being is that your main branch should be your source of truth. If your code is likely to change between your last push to main to when you tag it, it really should be done in a branch.
A better pattern would be that you push to staging on main, and then production on a tag.
But if you have a business case for your pattern, feel free to ignore me.
- Pycharm -- how can I push a local project to a remote organization repo?
- Git Clone - Repository not found
- Switched branch without commiting changes, what do I do now?
- GitHub Markdown Warning and Note all on one line
- java json schema validation relative path not working (URI not found)
- How can I test what my readme.md file will look like before committing to GitHub?
- What happens to a git submodule when its referenced repo is deleted?
- Remove a file from a Git Pull Request
- Rewriting URL request function to satisfy GitHub CodeQL server side request forgery (SSRF) warning
- all github action jobs are queued and never running
- How can I find the repository that has GitHub Pages enabled and is on a given domain?
- Error 400: Request contains an invalid argument while creating google_cloudbuild_trigger resource in Terraform from github source
- How to get count of pull requests made by a user on any repo belonging to an organization?
- gpg failed to sign the data fatal: failed to write commit object [Git 2.10.0]
- FetchContent access to private Git repository
- Remote anonymous access to repository denied?
- GitHub: How to do case sensitive search for the code in repository?
- View or Test README files *md in a browser prior to pushing to an online repository for rendering
- Quick access to 'invited' or 'watched' repository
- Github pages Jekyll theme "Minima" navigation not showing
- Global and environment secrets/variables
- ssh command -T option
- How to clone git repository from its zip
- Running actions in another directory
- How to determine the user that forked a repo into my organization?
- Untracking C drive in git
- How to filter and fetch GitHub repositories by topics
- Making a Git project open source when you have secret keys
- Creating folders inside a GitHub repository without using Git
- Multiple GitHub accounts on the same computer?