Skip to content

Enable automatic pre-prod deploy after main merges #55

Description

@iainherd

Goal

Enable automatic deployment of merged main builds to the password-gated pre-prod site at https://lircap.pendragon.bot/, so preview updates are visible after issue PRs merge without a manual VPS sync.

Context

During the #7/#12/#13 sequence, GitHub CI passed and main advanced, but https://lircap.pendragon.bot/ continued serving the first skeleton bundle until a manual redeploy was run.

Current deploy state:

  • .github/workflows/ci.yml verifies PRs and pushes to main.
  • .github/workflows/deploy-preprod.yml is manual and currently builds/uploads dist/ only.
  • Actual sync to the VPS is documented in docs/deploy/preprod-live.md and is manual:
    • build dist/
    • archive it
    • copy to backoffice via /root/.ssh/pendragon_hetzner_ed25519
    • extract to /opt/lircap-preprod/site
    • restart the Caddy Docker Compose service
  • Pre-prod is password-gated by Caddy basic auth and must remain protected.

Delegate implementation profile

Primary implementation profile: agent:devops-deployer.

Required review profiles before merge:

  • agent:code-security-reviewer
  • agent:orchestrator
  • optionally agent:browser-qa-reviewer for post-deploy smoke evidence

Acceptance criteria

  • A GitHub Actions path deploys main automatically to lircap.pendragon.bot after the CI quality gate passes.
  • Deployment only runs from trusted refs/events, not arbitrary fork PRs.
  • SSH host, username, key, and any deploy paths/secrets are sourced from GitHub Actions secrets or repository/environment variables, not committed source.
  • The workflow builds/verifies the static site before deployment, or depends on the existing successful CI gate before syncing.
  • Deployment sync is atomic or near-atomic enough to avoid leaving an empty/broken site/ directory if transfer fails.
  • Password gate, Caddy security headers, and static-only serving model remain intact.
  • Post-deploy smoke checks verify at minimum:
    • unauthenticated / returns 401 with WWW-Authenticate;
    • authenticated /, /team/, /contact/, /robots.txt, and /sitemap.xml return expected content;
    • no secrets are printed in workflow logs.
  • Documentation is updated with the auto-deploy model, required GitHub secrets/variables, rollback path, and how to trigger/re-run deploys.
  • The old manual deploy workflow is either converted safely or clearly retained as a manual fallback.

Security constraints

  • Do not print SSH keys, basic-auth credentials, password hashes, tokens, or secret values in logs, comments, PR bodies, or docs.
  • Do not weaken the Caddy basic-auth gate.
  • Do not expose lircap.pendragon.bot unauthenticated.
  • Do not add third-party deployment services unless explicitly approved.
  • Avoid disabling host-key checks unless a documented host-key pinning alternative is impossible; prefer a pinned known_hosts secret/variable.

Suggested implementation notes

  • Consider using a dedicated GitHub Environment such as preprod with required secrets:
    • PREPROD_SSH_HOST
    • PREPROD_SSH_USER
    • PREPROD_SSH_KEY
    • PREPROD_SSH_KNOWN_HOSTS
    • optional PREPROD_SITE_PATH
  • Prefer rsync or tar-over-ssh into a release directory, then swap a symlink or move into place to avoid partial deploys.
  • Keep a manual workflow_dispatch redeploy path for emergency redeploy/rollback.
  • Record real post-deploy smoke evidence in the PR or docs.

Verification

Before sign-off, run and report:

  • GitHub Actions run URL for an automatic deploy from main.
  • Workflow logs showing build/verify/deploy/smoke succeeded without secret leakage.
  • External smoke evidence for unauthenticated 401.
  • Authenticated route smoke evidence gathered without printing credentials.
  • Repository docs updated and tests/build still passing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent:browser-qa-reviewerBrowser QA reviewer: screenshots, responsive, console, accessibility, reduced-motion, Lighthouse/axeagent:code-security-reviewerCode/security reviewer: code quality, secrets, attack surface, auth gate, headers, forms.agent:devops-deployerDevOps deployer: VPS, DNS, Caddy, password gate, CI/CD, deploy smoke tests.agent:orchestratorMorwenna/orchestrator: owns issue sequencing, repo state, PR/deploy verification, and final evidencepriority:highpriority hightype:devopstype devopstype:workflowtype workflow

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions