Add deploy workflow that builds image and dispatches infra bump

[koinsaari]

Summary

• Builds the api-proxy Docker image and pushes to GHCR (tagged with both the commit SHA and latest)
• Fires a repository_dispatch event of type api-proxy-bump at Stoganet/infra with the SHA + digest in the payload
• Infra owns the actual file modification, commit, and push — see companion PR in infra

No SSH, NetBird, host scripts, or file modifications against infra from this repo. The bridge is a single dispatch call.

Prerequisites before this workflow can succeed

• INFRA_DISPATCH_TOKEN repo secret on api-proxy: fine-grained PAT scoped to Stoganet/infra with contents: write (required to fire repository_dispatch)
• The corresponding api-proxy-bump.yml workflow must be merged in infra
• The api-proxy service block must exist in infra/compose/docker-compose.yml with a pinned ghcr.io/stoganet/api-proxy@sha256:... reference (infra's workflow fails fast otherwise)

Test plan

• After merge, push a trivial change to main and verify:
  • build-and-push produces a real digest in GHCR
  • trigger-infra-bump successfully fires the dispatch (visible in infra's Actions tab as a repository_dispatch run)
• Verify the preflight fails cleanly when INFRA_DISPATCH_TOKEN is unset

Closes #15

[claude]

Claude finished @koinsaari's task in 2m 8s —— View job

---

Code Review: Add deploy workflow

No blocking issues.

• Read REVIEW.md and CLAUDE.md
• Read .github/workflows/deploy.yml
• Analyze for bugs, security issues, and correctness
• Post findings and set commit status

---

The workflow is well-structured: pinned action SHAs for supply-chain safety, set -euo pipefail throughout, a fast-fail preflight check, and a clean idempotency path for the already-up-to-date case. Five nits below.

🟡 Nit 1 — Wrong version comment on actions/checkout

.github/workflows/deploy.yml lines 31 and 79: the comment says # v6, but actions/checkout does not have a v6 release — the current major version is v4. The pinned SHA takes precedence functionally, but the annotation is misleading for anyone auditing action versions.

Fix this →

🟡 Nit 2 — Re-run idempotency: git checkout -b fails if branch exists

.github/workflows/deploy.yml line 104:

git checkout -b "$BRANCH"

If workflow_dispatch is triggered twice for the same ref (or a failed run is retried after the push already happened), $BRANCH already exists and git checkout -b exits non-zero, failing the job. Use git checkout -B "$BRANCH" to reset a pre-existing local branch, and either add --force to the git push or check/delete the remote branch first.

Fix this →

🟡 Nit 3 — --label "dependencies" may fail if label is absent from infra repo

.github/workflows/deploy.yml line 120:

--label "dependencies")

gh pr create will error if the dependencies label does not exist in Stoganet/infra. Either ensure the label is pre-created in the infra repo, or drop the --label flag entirely to avoid a brittle cross-repo dependency.

🟡 Nit 4 — No --base branch in gh pr create

.github/workflows/deploy.yml line 117: in a non-interactive CI context gh pr create defaults to the repo's default branch, which is normally main, but being explicit avoids surprises if the default ever changes:

gh pr create \
  --base main \
  --title ...

🟡 Nit 5 — IMAGE_DIGEST used without an emptiness guard

.github/workflows/deploy.yml line 106: if docker/build-push-action somehow produces an empty digest (unlikely, but not impossible with future action version changes), set -u won't catch it — IMAGE_DIGEST is a defined-but-empty variable — and the sed would write ghcr.io/.../api-proxy@ into the compose file, committing a broken reference. A one-liner guard at the top of the step makes the failure explicit:

[ -n "${IMAGE_DIGEST}" ] || { echo "::error::IMAGE_DIGEST is empty"; exit 1; }

---

[claude]

Claude finished @koinsaari's task in 1m 41s —— View job

---

Code Review: Add deploy workflow

No blocking issues.

• Read REVIEW.md and CLAUDE.md
• Read .github/workflows/deploy.yml
• Analyze for bugs, security issues, and correctness
• Post findings and set commit status

---

The workflow has been significantly rearchitected since the last review pass: instead of cloning Stoganet/infra and opening a PR directly, it now fires a repository_dispatch event and lets the infra repo own the update mechanics. That eliminates the previous nits about git checkout -b idempotency, --label "dependencies", missing --base, and the sed-on-empty-digest scenario in that repo.

The remaining shape is clean: pinned action SHAs, set -euo pipefail throughout, a fast-fail preflight, cancel-in-progress: false to prevent a deploy from being interrupted mid-run. Two nits below.

🟡 Nit 1 — Wrong version comment on actions/checkout

.github/workflows/deploy.yml line 31: the comment says # v6, but actions/checkout does not have a v6 release — the current major version is v4. Functionally harmless (the pinned SHA controls what runs), but misleading for anyone auditing action versions.

Fix this →

🟡 Nit 2 — IMAGE_DIGEST dispatched without an emptiness guard

.github/workflows/deploy.yml line 83–89: IMAGE_DIGEST is injected from the build-and-push job output. If docker/build-push-action ever produces an empty digest (unlikely, but possible after an action version bump), set -u won't catch it — the variable is defined but empty — and the dispatch will fire client_payload[digest]= to infra, silently handing it a broken reference. A one-liner guard makes the failure loud and local:

[ -n "${IMAGE_DIGEST}" ] || { echo "::error::IMAGE_DIGEST is empty — aborting dispatch"; exit 1; }

Fix this →

---

Note: commit status could not be set — the GitHub App token lacks the statuses: write permission for this repository.

[claude]

Claude finished @koinsaari's task in 1m 36s —— View job

---

Code Review: Add deploy workflow

No blocking issues.

• Read REVIEW.md and CLAUDE.md
• Read .github/workflows/deploy.yml
• Analyze for bugs, security issues, and correctness
• Post findings and set commit status

---

The workflow is in good shape. Both nits from the previous review pass have been addressed: the IMAGE_DIGEST (and TARGET_SHA) emptiness guards are in place at lines 86–87, and the earlier rearchitecture to repository_dispatch eliminated all the infra-clone complexity. One nit remains from the prior review.

🟡 Nit — Wrong version comment on actions/checkout

.github/workflows/deploy.yml line 31: the comment still reads # v6, but actions/checkout has no v6 release — current major is v4. The pinned SHA controls what actually runs, so this is harmless, but misleading for anyone auditing action versions.

Fix this →

---

Note: commit status could not be set — the GitHub App token lacks the statuses: write permission for this repository.