Skip to content

fix(ci): add workflow_call trigger so deploy.yml can reuse it#25

Merged
MorganOnCode merged 2 commits into
masterfrom
fix/ci-workflow-call
May 15, 2026
Merged

fix(ci): add workflow_call trigger so deploy.yml can reuse it#25
MorganOnCode merged 2 commits into
masterfrom
fix/ci-workflow-call

Conversation

@MorganOnCode
Copy link
Copy Markdown
Owner

@MorganOnCode MorganOnCode commented May 15, 2026

The actual cause of the broken auto-deploy

Found while verifying PR #24's auto-deploy on master: the deploy workflow failed at parse time again, this time not at the SSH path (which #24 fixed) but at the preflight step.

`deploy.yml` line 16:
```yaml
jobs:
ci:
uses: ./.github/workflows/ci.yml
```

This is GitHub's reusable-workflow syntax. For it to work, the called workflow (`ci.yml`) must declare `workflow_call:` in its `on:` block. It didn't — only `push` and `pull_request` were listed. GitHub Actions rejects the deploy workflow before it starts, which is why every deploy run shows a 0-second `failure` with no logs.

So PR #24's path correction was right, but the workflow never got far enough to use it. This is the upstream cause.

Fix

One-line addition to `.github/workflows/ci.yml` `on:` block:

```yaml
workflow_call:
```

Test plan

After merge:

  • The deploy.yml run for THIS merge should no longer show a 0s failure
  • The `ci` job inside deploy.yml should run all the existing CI steps (lint, typecheck, test, build, docker, security)
  • After `ci` passes, the `deploy` job will attempt SSH — at this point we'll discover whether the `DEPLOY_HOST` / `DEPLOY_USER` / `DEPLOY_SSH_KEY` / `DEPLOY_PORT` secrets are configured (`gh secret list` returned empty, so they may not be)
  • If secrets are missing, the deploy job will fail loudly at the SSH step instead of silently at parse time

🤖 Generated with Claude Code

MorganOnCode and others added 2 commits May 15, 2026 08:11
@MorganOnCode @claude
fix(ci): add workflow_call trigger so deploy.yml can reuse it
f82ff7a 
deploy.yml's first job does `uses: ./.github/workflows/ci.yml` (the
reusable-workflow syntax), but ci.yml only declared `push` and
`pull_request` triggers. GitHub Actions rejects the deploy workflow
at parse time with a 0-second failure on every merge.

This is the upstream cause of the broken auto-deploy that PR #24
appeared to fix at the SSH layer -- PR #24's path correction is
correct, but the workflow never got far enough to use it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MorganOnCode @claude
fix(docker): unignore SKILL.md so the production image can serve it
fab7612 
PR #24 added `COPY SKILL.md ./SKILL.md` to the Dockerfile so the
/SKILL.md route in the new agent-discovery plugin has a file to read,
but `.dockerignore` had `*.md` excluding all markdown from the build
context. The docker-build job failed silently in PR #24 (other CI
jobs were green so the merge proceeded) and resurfaced on PR #25 once
attention was on the deploy pipeline.

Adds `!SKILL.md` to un-ignore the one markdown file we need at runtime,
with an inline comment so the reason for the exception is obvious.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MorganOnCode MorganOnCode merged commit 2a974aa into master May 15, 2026
5 checks passed
@MorganOnCode MorganOnCode deleted the fix/ci-workflow-call branch May 15, 2026 08:31
@MorganOnCode MorganOnCode mentioned this pull request May 15, 2026
Merged
3 tasks
MorganOnCode added a commit that referenced this pull request May 15, 2026
@MorganOnCode @claude
chore: retire deploy.yml in favor of Tailscale-only manual deploys
52f32a6 
The VPS is reachable only over Tailscale; SSH is closed to the public
internet. Re-enabling auto-deploy via appleboy/ssh-action would require
widening the firewall to GitHub's runner IP ranges -- a strictly worse
security posture for a payment facilitator with a live mainnet seed
phrase on disk.

Changes:
- Delete .github/workflows/deploy.yml (was broken on every merge anyway:
  parse-time failures before #25, missing DEPLOY_* secrets after #25)
- Document the canonical phased manual deploy in docs/operations.md
  (matches the pattern we used for the 2026-05-15 quick-wins deploy)
- Add a "production deploys are manual by design" section to
  docs/deployment.md explaining why and pointing to the runbook
- CI (.github/workflows/ci.yml) stays untouched -- it runs only inside
  the runner with no outbound SSH

If auto-deploy is ever wanted again, the right shape is the Tailscale
GitHub Action, which adds the runner to the tailnet for the deploy
duration without opening any public port. Deferred until there's need.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MorganOnCode