Refactor deployment workflows

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - uses: pnpm/action-setup@v2
+        with:
+          version: 8
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Typecheck API
+        working-directory: ./apps/api
+        run: pnpm typecheck
+
+      - name: Test
+        run: pnpm test

.github/workflows/deploy-api.yml

@@ -0,0 +1,55 @@
+name: Deploy API
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "GitHub environment name"
+        required: true
+        type: string
+      sst-stage:
+        description: "SST deployment stage"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+jobs:
+  deploy-api:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    # Concurrency group name ensures concurrent workflow runs wait for any in-progress job to finish
+    concurrency:
+      group: api-${{ inputs.environment }}-${{ github.ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Deploy API
+        working-directory: ./apps/api
+        run: pnpm sst deploy --stage ${{ inputs.sst-stage }}
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          SG_CARS_TRENDS_API_TOKEN: ${{ secrets.SG_CARS_TRENDS_API_TOKEN }}
+          UPSTASH_REDIS_REST_TOKEN: ${{ secrets.UPSTASH_REDIS_REST_TOKEN }}
+          UPSTASH_REDIS_REST_URL: ${{ secrets.UPSTASH_REDIS_REST_URL }}
+          FEATURE_FLAG_RATE_LIMIT: ${{ vars.FEATURE_FLAG_RATE_LIMIT }}

.github/workflows/deploy-trigger.yml

@@ -0,0 +1,38 @@
+name: Deploy Trigger.dev
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "GitHub environment name"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  deploy-trigger:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    environment: ${{ inputs.environment }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Deploy Trigger.dev
+        working-directory: ./apps/updater
+        run: pnpm trigger:deploy
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}

.github/workflows/deploy-updater.yml

@@ -0,0 +1,61 @@
+name: Deploy Updater
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "GitHub environment name"
+        required: true
+        type: string
+      sst-stage:
+        description: "SST deployment stage"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+jobs:
+  deploy-updater:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    # Concurrency group name ensures concurrent workflow runs wait for any in-progress job to finish
+    concurrency:
+      group: updater-${{ inputs.environment }}-${{ github.ref }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-region: ${{ vars.AWS_REGION }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Run Drizzle Migrations
+        working-directory: ./apps/updater
+        run: pnpm migrate
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+
+      - name: Deploy Updater
+        working-directory: ./apps/updater
+        run: pnpm sst deploy --stage ${{ inputs.sst-stage }}
+        env:
+          UPDATER_API_TOKEN: ${{ secrets.UPDATER_API_TOKEN }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          UPSTASH_REDIS_REST_URL: ${{ secrets.UPSTASH_REDIS_REST_URL }}
+          UPSTASH_REDIS_REST_TOKEN: ${{ secrets.UPSTASH_REDIS_REST_TOKEN }}

.github/workflows/dev.yml

@@ -0,0 +1,27 @@
+name: Deploy (Dev)
+
+on:
+  push:
+    branches-ignore:
+      - "main"
+      - "release/**"
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+jobs:
+  deploy-api:
+    uses: ./.github/workflows/deploy-api.yml
+    with:
+      environment: Development
+      sst-stage: dev
+    secrets: inherit
+
+  deploy-updater:
+    uses: ./.github/workflows/deploy-updater.yml
+    with:
+      environment: Development
+      sst-stage: dev
+    secrets: inherit

.github/workflows/prod.yml

@@ -0,0 +1,31 @@
+name: Deploy (Production)
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+"
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+jobs:
+  deploy-api:
+    uses: ./.github/workflows/deploy-api.yml
+    with:
+      environment: Production
+      sst-stage: prod
+    secrets: inherit
+
+  deploy-updater:
+    uses: ./.github/workflows/deploy-updater.yml
+    with:
+      environment: Production
+      sst-stage: prod
+    secrets: inherit
+
+  deploy-trigger:
+    uses: ./.github/workflows/deploy-trigger.yml
+    secrets: inherit

.github/workflows/staging.yml

@@ -0,0 +1,50 @@
+name: Deploy (Staging)
+
+on:
+  push:
+    branches:
+      - "main"
+      - "release/**"
+    tags-ignore:
+      - "*"
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: "pnpm"
+      - name: Install dependencies
+        run: pnpm install
+      - name: Typecheck API
+        working-directory: ./apps/api
+        run: pnpm typecheck
+      - name: Run tests
+        run: pnpm test
+
+  deploy-api:
+    needs: test
+    uses: ./.github/workflows/deploy-api.yml
+    with:
+      environment: Staging
+      sst-stage: staging
+    secrets: inherit
+
+  deploy-updater:
+    needs: test
+    uses: ./.github/workflows/deploy-updater.yml
+    with:
+      environment: Staging
+      sst-stage: staging
+    secrets: inherit