Automate staging deploys#108
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Playwright Hosted Data-FlowOutcome: success This optional check runs the mutation-backed profile flow against a configured hosted dev/staging target with isolated E2E test data. |
Playwright Data-Flow PreviewOutcome: success Captured flow:
Artifacts include screenshots, traces, and recorded video for the flow run. |
Playwright Image DiffOutcome: success Changed screenshot baselines: none in this PR. This check compares public route screenshots against committed baselines. Inline images show only added or modified baseline PNGs. |
Playwright Public Screenshot PreviewOutcome: success Screenshots: all public route checks passed on desktop and mobile. Full screenshot set is available in the artifact. Pixel diff baselines are handled by the separate Playwright Image Diff check. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Greptile SummaryThis PR introduces a
Confidence Score: 4/5Safe to merge; the workflow is fail-closed and the changes are limited to CI automation and documentation. The workflow logic is sound — the gate, ordering of Convex-then-Vercel deploys, and artifact upload are all correct. The three gaps are: manual dispatch carries no branch guard so a non-main SHA could overwrite shared staging; the step summary is written before the health check so it can look successful even when E2E fails; and one GITHUB_OUTPUT line writes a URL via a bare echo rather than the newline-safe heredoc form. None of these block the advertised use case of automated post-main staging deploys. .github/workflows/staging-deploy.yml deserves a second look for the three points above; the two documentation files are straightforward updates. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A([workflow_run: Baseline Checks on main\nOR workflow_dispatch]) --> B{conclusion == success\nOR manual?}
B -- No --> Z([Skip job])
B -- Yes --> C[Checkout ref]
C --> D[Check staging gate\nall 6 secrets/vars present?]
D -- Missing --> E[Write skip summary\necho enabled=false\nexit 0]
E --> Z
D -- All present --> F[echo enabled=true\nSetup pnpm + Node.js\nInstall deps]
F --> G[Deploy Convex dev functions\nCONVEX_DEPLOY_KEY_DEV]
G --> H[Deploy Vercel staging\n--target=staging\ncapture deployment_url]
H --> I[Write step summary\ndeploy URL + hosted health target]
I --> J[Install Playwright Chromium]
J --> K[Run pnpm test:e2e:hosted\nagainst VRDEX_HOSTED_E2E_BASE_URL]
K --> L[Upload artifacts\nplaywright-report, test-results]
L --> M([Done])
K -- fail --> L
Prompt To Fix All With AIFix the following 3 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 3
.github/workflows/staging-deploy.yml:11
**Manual dispatch can deploy non-main branches to shared staging**
`workflow_dispatch` carries no branch restriction, so anyone with Actions write access can trigger this from a feature branch and overwrite the shared Convex dev deployment and Vercel `staging` environment with unreviewed code. Since the concurrency group is always `staging-deploy-main`, a feature-branch manual run will also queue against (and potentially delay) the next automated main-branch staging update. Consider adding a branch check early in the job — e.g., refusing to proceed if `github.ref != 'refs/heads/main'` for non-emergency use, or at minimum noting the branch in the step summary so it is obvious when a non-main SHA was deployed.
### Issue 2 of 3
.github/workflows/staging-deploy.yml:63-64
**`GITHUB_OUTPUT` write is not injection-safe for multiline values**
Writing a variable value directly with `echo "key=$VALUE"` is flagged by GitHub's own hardening guide: if `HOSTED_BASE_URL` ever contains a literal newline or the string `%0A`, it would split into multiple output entries and silently break the health-check step. The recommended pattern is a heredoc delimiter, which is immune to embedded newlines.
```suggestion
echo "enabled=true" >> "$GITHUB_OUTPUT"
{
echo "hosted_base_url<<EOF"
echo "$HOSTED_BASE_URL"
echo "EOF"
} >> "$GITHUB_OUTPUT"
```
### Issue 3 of 3
.github/workflows/staging-deploy.yml:103-108
**Step summary written before E2E health check runs**
The step summary (including "Vercel staging deployment: URL") is appended inside the "Deploy Vercel staging" step, so it is visible even when the subsequent health check fails. A reader glancing at the summary will see a successful deployment URL without a clear indication that health validation did not pass. Consider deferring the full summary to a dedicated final step that runs `if: always() && steps.gate.outputs.enabled == 'true'` and emits a health outcome alongside the deploy URL, or at minimum adding a health result row after the health step.
Reviews (1): Last reviewed commit: "Add automated staging deploy workflow" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - completed | ||
| branches: | ||
| - main | ||
| workflow_dispatch: |
There was a problem hiding this comment.
workflow_dispatch carries no branch restriction, so anyone with Actions write access can trigger this from a feature branch and overwrite the shared Convex dev deployment and Vercel staging environment with unreviewed code. Since the concurrency group is always staging-deploy-main, a feature-branch manual run will also queue against (and potentially delay) the next automated main-branch staging update. Consider adding a branch check early in the job — e.g., refusing to proceed if github.ref != 'refs/heads/main' for non-emergency use, or at minimum noting the branch in the step summary so it is obvious when a non-main SHA was deployed.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/staging-deploy.yml
Line: 11
Comment:
**Manual dispatch can deploy non-main branches to shared staging**
`workflow_dispatch` carries no branch restriction, so anyone with Actions write access can trigger this from a feature branch and overwrite the shared Convex dev deployment and Vercel `staging` environment with unreviewed code. Since the concurrency group is always `staging-deploy-main`, a feature-branch manual run will also queue against (and potentially delay) the next automated main-branch staging update. Consider adding a branch check early in the job — e.g., refusing to proceed if `github.ref != 'refs/heads/main'` for non-emergency use, or at minimum noting the branch in the step summary so it is obvious when a non-main SHA was deployed.
How can I resolve this? If you propose a fix, please make it concise.| echo "enabled=true" >> "$GITHUB_OUTPUT" | ||
| echo "hosted_base_url=$HOSTED_BASE_URL" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
GITHUB_OUTPUT write is not injection-safe for multiline values
Writing a variable value directly with echo "key=$VALUE" is flagged by GitHub's own hardening guide: if HOSTED_BASE_URL ever contains a literal newline or the string %0A, it would split into multiple output entries and silently break the health-check step. The recommended pattern is a heredoc delimiter, which is immune to embedded newlines.
| echo "enabled=true" >> "$GITHUB_OUTPUT" | |
| echo "hosted_base_url=$HOSTED_BASE_URL" >> "$GITHUB_OUTPUT" | |
| echo "enabled=true" >> "$GITHUB_OUTPUT" | |
| { | |
| echo "hosted_base_url<<EOF" | |
| echo "$HOSTED_BASE_URL" | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" |
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/staging-deploy.yml
Line: 63-64
Comment:
**`GITHUB_OUTPUT` write is not injection-safe for multiline values**
Writing a variable value directly with `echo "key=$VALUE"` is flagged by GitHub's own hardening guide: if `HOSTED_BASE_URL` ever contains a literal newline or the string `%0A`, it would split into multiple output entries and silently break the health-check step. The recommended pattern is a heredoc delimiter, which is immune to embedded newlines.
```suggestion
echo "enabled=true" >> "$GITHUB_OUTPUT"
{
echo "hosted_base_url<<EOF"
echo "$HOSTED_BASE_URL"
echo "EOF"
} >> "$GITHUB_OUTPUT"
```
How can I resolve this? If you propose a fix, please make it concise.| { | ||
| echo "## Staging deploy" | ||
| echo "Convex development functions deployed." | ||
| echo "Vercel staging deployment: $deployment_url" | ||
| echo "Hosted health target: ${{ steps.gate.outputs.hosted_base_url }}" | ||
| } >> "$GITHUB_STEP_SUMMARY" |
There was a problem hiding this comment.
The step summary (including "Vercel staging deployment: URL") is appended inside the "Deploy Vercel staging" step, so it is visible even when the subsequent health check fails. A reader glancing at the summary will see a successful deployment URL without a clear indication that health validation did not pass. Consider deferring the full summary to a dedicated final step that runs if: always() && steps.gate.outputs.enabled == 'true' and emits a health outcome alongside the deploy URL, or at minimum adding a health result row after the health step.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/staging-deploy.yml
Line: 103-108
Comment:
**Step summary written before E2E health check runs**
The step summary (including "Vercel staging deployment: URL") is appended inside the "Deploy Vercel staging" step, so it is visible even when the subsequent health check fails. A reader glancing at the summary will see a successful deployment URL without a clear indication that health validation did not pass. Consider deferring the full summary to a dedicated final step that runs `if: always() && steps.gate.outputs.enabled == 'true'` and emits a health outcome alongside the deploy URL, or at minimum adding a health result row after the health step.
How can I resolve this? If you propose a fix, please make it concise.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
1 participant
What changed
Staging Deployworkflow that runs after successfulBaseline Checksonmain, plus manual dispatch.staging, then runs hosted@flowhealth againstVRDEX_HOSTED_E2E_BASE_URL.Current blocker
Repository secrets currently include
CONVEX_DEPLOY_KEY_DEV,VERCEL_ORG_ID,VERCEL_PROJECT_ID, andVRDEX_HOSTED_E2E_BROWSER_TOKEN, but notVERCEL_TOKEN. UntilVERCEL_TOKENis added, the workflow will skip safely instead of partially deploying staging.Testing
git diff --checkpnpm dlx prettier --check .github/workflows/staging-deploy.yml docs/deployment/convex-environments.md docs/deployment/vercel-preview.mdRisk
This introduces a post-main automation path, but it is gated fail-closed. When enabled, it will mutate the shared Convex dev deployment and Vercel
stagingenvironment only aftermainbaseline checks pass.