Skip to content

chore: retire deploy.yml in favor of Tailscale-only manual deploys#40

Merged
MorganOnCode merged 1 commit into
masterfrom
chore/retire-auto-deploy
May 15, 2026
Merged

chore: retire deploy.yml in favor of Tailscale-only manual deploys#40
MorganOnCode merged 1 commit into
masterfrom
chore/retire-auto-deploy

Conversation

@MorganOnCode
Copy link
Copy Markdown
Owner

@MorganOnCode MorganOnCode commented May 15, 2026

Why

The VPS is reachable only over Tailscale; public SSH is closed. Re-enabling auto-deploy via `appleboy/ssh-action` would require widening the firewall to GitHub's runner IP ranges — a strictly worse security posture for a payment facilitator with a live mainnet seed phrase on disk. Per the user's call.

`deploy.yml` has been broken on every merge since the rename anyway (parse-time failures pre-#25, missing `DEPLOY_*` secrets post-#25). Better to remove it than leave a confusing always-red workflow in the actions tab.

Changes

  • Delete `.github/workflows/deploy.yml`
  • Document the canonical phased manual deploy procedure in `docs/operations.md` (matches what we used for the 2026-05-15 quick-wins deploy — pull, tag rollback, build, smoke-test on side port, swap, verify)
  • Note in `docs/deployment.md` that production deploys are manual by design with a pointer to the runbook
  • CI (`ci.yml`) stays untouched — it only runs inside the runner, no outbound SSH

What stays the same

  • Every push/PR still triggers CI (lint, typecheck, test, build, docker, security audit)
  • Branch protection remains
  • `bash deploy.sh` still works for routine deploys; the new phased procedure is for changes that touch `docker-compose.prod.yml` or `Dockerfile`

Test plan

  • CI still runs and passes on this PR
  • Actions tab no longer shows a perpetually-red Deploy workflow after merge
  • `docs/operations.md` "Manual deploy procedure" section renders cleanly

🤖 Generated with Claude Code

@MorganOnCode @claude
chore: retire deploy.yml in favor of Tailscale-only manual deploys
52f32a6 
The VPS is reachable only over Tailscale; SSH is closed to the public
internet. Re-enabling auto-deploy via appleboy/ssh-action would require
widening the firewall to GitHub's runner IP ranges -- a strictly worse
security posture for a payment facilitator with a live mainnet seed
phrase on disk.

Changes:
- Delete .github/workflows/deploy.yml (was broken on every merge anyway:
  parse-time failures before #25, missing DEPLOY_* secrets after #25)
- Document the canonical phased manual deploy in docs/operations.md
  (matches the pattern we used for the 2026-05-15 quick-wins deploy)
- Add a "production deploys are manual by design" section to
  docs/deployment.md explaining why and pointing to the runbook
- CI (.github/workflows/ci.yml) stays untouched -- it runs only inside
  the runner with no outbound SSH

If auto-deploy is ever wanted again, the right shape is the Tailscale
GitHub Action, which adds the runner to the tailnet for the deploy
duration without opening any public port. Deferred until there's need.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@MorganOnCode MorganOnCode merged commit 2ba86cc into master May 15, 2026
5 checks passed
@MorganOnCode MorganOnCode deleted the chore/retire-auto-deploy branch May 15, 2026 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MorganOnCode