Skip to content

Workflows

WorkflowTriggersEnvironmentDeploys To
deploy-docs.ymlPush to main (apps/docs/**), PR, manual(none)swa-maxconf-docs
deploy-agent-app-test.ymlPush to main (apps/agent-app/**), PR, manualtestswa-agent-test (default + preview)
deploy-customer-app-test.ymlPush to main (apps/customer-app/**), PR, manualtestswa-customer-test (default + preview)
deploy-agent-app-prod.ymlTag agent-app/v*.*.*, manual with confirmationprodswa-agent-prod
deploy-customer-app-prod.ymlTag customer-app/v*.*.*, manual with confirmationprodswa-customer-prod
deploy-pexip-sdk-test.ymlPR (packages/pexip-sdk/**), push to main, manualtestfa-maxconf-test (production + edge slots)
deploy-pexip-sdk-prod.ymlTag pexip-sdk/v*.*.*prodfa-maxconf-prod (staging → swap to production)
vm-start-stop-test.ymlCron (4×/hr), manual with overridestestTest VMs
vm-start-stop-prod.ymlCron (4×/hr), manual with overridesprodProduction VMs

Most deployment workflows use paths: filters so they only trigger when relevant files change. For example, deploy-agent-app-test.yml only runs when files under apps/agent-app/ or the workflow file itself are modified.

on:
push:
branches: [main]
paths:
- "apps/agent-app/**"
- ".github/workflows/deploy-agent-app-test.yml"

This prevents unnecessary deployments when unrelated surfaces are updated.

When a pull request modifies an SWA surface (agent-app or customer-app), the test workflow deploys a preview environment - a temporary staging URL that is automatically cleaned up when the PR is closed.

The preview deployment uses SWA’s built-in deployment_environment: preview setting:

- name: Deploy to Azure Static Web Apps
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: ${{ secrets.SWA_AGENT_APP_DEPLOYMENT_TOKEN }}
action: upload
app_location: apps/agent-app/src
deployment_environment: preview

Pull requests that modify packages/pexip-sdk/ deploy to the edge slot on fa-maxconf-test. This provides a developer preview at a separate URL without affecting the main test environment.

  • Only one edge slot exists - the most recent PR push overwrites any previous deployment.
  • The edge slot is not torn down when a PR is closed; it retains the last deployed code until the next PR push.
EnvironmentAuth MechanismPurpose
testSWA deployment tokens (env secrets), OIDC federated credentialsNon-production: developer preview, UAT, QA
prodSWA deployment tokens (env secrets), OIDC federated credentialsProduction: live service

Production workflows include additional safeguards:

  • Tag-only triggers - production deploys only fire on namespaced tags, never on branch pushes
  • Manual confirmation - workflow_dispatch requires typing deploy to proceed
  • Environment gates - the prod environment can require reviewer approval before jobs execute