chore: refactor gh env approval to manual workflow run

[stalniy]

Why

Github env approval is not available for private repos. So, changing the flow, so it works in private repository as well

Summary by CodeRabbit

• New Features

  • Notifications show application and version separately, include optional chain and linked workflow-run ID, and include a CLI example to trigger the reusable deployment.
  • Workflows accept an explicit approve flag and an optional linked workflow-run ID.
  • Deployments are now created programmatically for clearer tracking.

• Improvements

  • Default deployment environment changed to staging.
  • Deployment gating simplified using environment/approve rules; linked run ID surfaces in notifications.
  • CLI tag resolution added and failure on invalid tags reinstated.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Splits Slack action inputs into app and new-version, adds chain and linked-workflow-run-id, changes environment default to staging; adds approve and linked-workflow-run-id inputs and a require_approval output to the reusable deploy workflow; updates approval gating, Slack payloads, and creates GitHub deployments/statuses.

Changes

Cohort / File(s)	Summary
Slack action input changes \.github/actions/slack-pending-deployment-approval/action.yml	Replaced new-app-version with app and new-version; added chain and linked-workflow-run-id inputs; changed environment default to staging; updated Slack message payload and included gh CLI example to trigger reusable workflow.
Reusable deploy workflow (approval & deployment) \.github/workflows/reusable-deploy-k8s.yml	Added approve and linked-workflow-run-id inputs (both workflow_call and top-level); added require_approval job output; simplified approval decision (env/chain based); display/propagate linked workflow run ID; gate deploy job on approve or no requirement; create GitHub deployment and post status; updated Slack notification fields to include app, new-version, chain, and linked-workflow-run-id.
Deploy setup tag resolution \.github/workflows/reusable-deploy-setup.yml	Added GH_TOKEN to step env; when image_tag is latest, resolve actual tag via GitHub API and set TAG_NAME; re-enable hard failure for invalid tags; preserve package/tag parsing and validation flow.

Sequence Diagram

sequenceDiagram
    participant Caller as Caller Workflow
    participant Reusable as reusable-deploy-k8s.yml
    participant Slack as Slack Action
    participant GH as GitHub API
    participant K8s as Kubernetes

    Caller->>Reusable: call(app, new-version, environment, approve=false, linked-workflow-run-id?)
    Reusable->>Reusable: evaluate require_approval (environment/chain rule)
    alt require_approval true
        Reusable->>Slack: send pending-approval (app, new-version, environment, chain, linked-workflow-run-id)
        Slack-->>Reusable: delivery ack
        Note over Caller,Reusable: human approves by re-running with approve=true
    end
    Reusable->>Reusable: check approve flag & require_approval
    alt deploy allowed
        Reusable->>GH: create deployment (POST /repos/.../deployments)
        GH-->>Reusable: deployment created
        Reusable->>GH: post deployment status (success)
        GH-->>Reusable: status recorded
        Reusable->>K8s: perform Kubernetes rollout
        K8s-->>Reusable: rollout result
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: adds automatic deployments to prod and e2e tests setup #2473: Direct overlap modifying the Slack pending-deployment action and reusable-deploy workflow inputs/notification and approval flow.
• chore: fixes double notification for required approvals #2507: Overlaps changes to reusable-deploy-k8s approval and Slack notification gating/outputs.
• chore: fixes notifications about deployments waiting approval #2679: Related adjustments to reusable-deploy-k8s approval gating and approval-status handling.

Suggested reviewers

• ygrishajev
• baktun14

"I hopped through YAML with a twitchy ear,
Split name and version so alerts are clear.
I carried linked IDs and nudged approvals tight,
Launched deployments in the soft staging light.
A rabbit claps for pipelines — quick and bright. 🐇"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: refactoring from GitHub environment approval to manual workflow run approval.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/refactor-deploy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In @.github/actions/slack-pending-deployment-approval/action.yml:
- Around line 64-70: The multiline gh CLI example in the reusable-deploy-k8s.yml
run command within the action.yml documentation is missing line-continuation
backslashes, causing the command to break when copied; update the snippet so
each continued line ends with a backslash (e.g., after the first gh workflow run
... \, after -f app=... \, after -f appVersion=... \, and after conditional -f
linked-workflow-run-id... \) and ensure spacing/quoting remains valid for the
conditional expansions so the command can be copied and executed as-is.
- Line 60: The Slack message references the removed input inputs.new-app-version
so it will render empty; update the template in the action.yml Slack message
line to use the current input name (or remove that placeholder) instead of ${{
inputs.new-app-version }} — locate the Slack message string that contains ${{
inputs.new-app-version }} and replace it with the correct existing input (e.g.,
${{ inputs.version }} or the actual input name used in the action inputs block)
so the message shows the intended version value.

In @.github/workflows/reusable-deploy-k8s.yml:
- Around line 109-113: The "Display linked workflow run ID" step currently
always links to the current run by using ${{ github.run_id }}; change the
summary to use the provided input ${{ inputs.linked-workflow-run-id }} instead
so the link points to the linked workflow run (i.e., build the URL with ${{
github.server_url }}/${{ github.repository }}/actions/runs/${{
inputs.linked-workflow-run-id }} and append that to $GITHUB_STEP_SUMMARY).
- Line 152: The job's if condition uses AND which blocks runs when
require_approval is 'true'; change the expression so the job runs when either an
explicit approval is provided (inputs.approve) OR no approval is required.
Replace the current line "if: (inputs.approve == 'true' || inputs.approve ==
true) && needs.deployment-prerequisites.outputs.require_approval != 'true'" with
an OR-based condition such as "if: (inputs.approve == 'true' || inputs.approve
== true) || needs.deployment-prerequisites.outputs.require_approval != 'true'"
so the job runs when approved or when require_approval is false (referencing
inputs.approve and needs.deployment-prerequisites.outputs.require_approval).
- Around line 143-147: Update the value assigned to linked-workflow-run-id so it
prefers a provided linked workflow run ID input over the current run ID: replace
the hardcoded github.run_id usage for the output key "linked-workflow-run-id"
with a GitHub Actions expression that uses the input (e.g.,
inputs.linkedWorkflowRunId or similar) when non-empty and falls back to
github.run_id otherwise; modify the YAML line setting linked-workflow-run-id to
use that conditional expression so Slack receives the linked run ID when
available.
- Around line 85-91: Add the missing workflow_call input for
linked-workflow-run-id so callers can pass it in; update the workflow_call
inputs block (where inputs like approve are defined) to include an entry named
linked-workflow-run-id with type: string (or appropriate type), required: false
(matching the workflow_dispatch definition), and a short description; ensure the
input name exactly matches 'linked-workflow-run-id' so references later in the
workflow (the usage at line 110) resolve correctly.
- Around line 246-265: The Deployments API calls using GH_TOKEN and the gh api
POSTs that create deployment and deployment statuses require explicit write
permission; add permissions: deployments: write to the deploy job (or workflow)
so the GH_TOKEN can perform the gh api -X POST "repos/$REPOSITORY/deployments"
and the subsequent statuses POST calls successfully; update the job's
permissions block (adjacent to where GH_TOKEN is used) to include deployments:
write.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/reusable-deploy-k8s.yml:
- Around line 133-134: The require_approval check includes a dead branch because
env is constructed as "${{ inputs.environment }}-${{ inputs.chain }}" so
comparing "$env" == "prod" will never match; update the conditional on the
require_approval line to test the original environment input
(inputs.environment) or to match the composed env values that indicate prod
(e.g., compare "${{ inputs.environment }}" == "prod" or test env for patterns
"prod" or "prod-" + chain), and remove the unreachable `"$env" == "prod"` check
so require_approval correctly evaluates true for production deployments.
- Around line 247-266: The deployment step uses GH_REF (constructed as `${{
inputs.app }}/v${{ inputs.appVersion }}`) directly when creating a deployment
(`gh api -X POST "repos/$REPOSITORY/deployments"`) and does not validate the
tag/ref; add a pre-check that the tag exists by calling the refs API (`gh api
repos/$REPOSITORY/git/refs/tags/{tag}`) or otherwise resolving the ref before
creating DEPLOYMENT_ID, and on failure emit a clear error and exit 1; if the ref
exists proceed to create DEPLOYMENT_ID and report the deployment status as
before.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/reusable-deploy-setup.yml:
- Around line 34-36: The gh api call that replaces TAG_NAME when it equals
"latest" can fail or return empty if there are no releases; update the block
that checks TAG_NAME and runs gh api to capture the command output into a
variable, verify it is non-empty and the command exit status succeeded, and if
it failed or returned empty log a clear error and exit non-zero; specifically
modify the conditional that sets TAG_NAME from gh api (the TAG_NAME assignment
and the gh api invocation) to perform error checking and a safe fallback or
explicit failure.

[codecov]

Codecov Report

✔️ No coverage data to report, because files changed do not require tests or are set to ignore