Workflows
Workflow Inventory
Section titled “Workflow Inventory”| Workflow | Triggers | Environment | Deploys To |
|---|---|---|---|
deploy-docs.yml | Push to main (apps/docs/**), PR, manual | (none) | swa-maxconf-docs |
deploy-agent-app-test.yml | Push to main (apps/agent-app/**), PR, manual | test | swa-agent-test (default + preview) |
deploy-customer-app-test.yml | Push to main (apps/customer-app/**), PR, manual | test | swa-customer-test (default + preview) |
deploy-agent-app-prod.yml | Tag agent-app/v*.*.*, manual with confirmation | prod | swa-agent-prod |
deploy-customer-app-prod.yml | Tag customer-app/v*.*.*, manual with confirmation | prod | swa-customer-prod |
deploy-pexip-sdk-test.yml | PR (packages/pexip-sdk/**), push to main, manual | test | fa-maxconf-test (production + edge slots) |
deploy-pexip-sdk-prod.yml | Tag pexip-sdk/v*.*.* | prod | fa-maxconf-prod (staging → swap to production) |
vm-start-stop-test.yml | Cron (4×/hr), manual with overrides | test | Test VMs |
vm-start-stop-prod.yml | Cron (4×/hr), manual with overrides | prod | Production VMs |
Path-Filtered Triggers
Section titled “Path-Filtered Triggers”Most deployment workflows use paths: filters so they only trigger when relevant files change. For example, deploy-agent-app-test.yml only runs when files under apps/agent-app/ or the workflow file itself are modified.
on: push: branches: [main] paths: - "apps/agent-app/**" - ".github/workflows/deploy-agent-app-test.yml"This prevents unnecessary deployments when unrelated surfaces are updated.
PR Preview Environments
Section titled “PR Preview Environments”Static Web Apps
Section titled “Static Web Apps”When a pull request modifies an SWA surface (agent-app or customer-app), the test workflow deploys a preview environment - a temporary staging URL that is automatically cleaned up when the PR is closed.
The preview deployment uses SWA’s built-in deployment_environment: preview setting:
- name: Deploy to Azure Static Web Apps uses: Azure/static-web-apps-deploy@v1 with: azure_static_web_apps_api_token: ${{ secrets.SWA_AGENT_APP_DEPLOYMENT_TOKEN }} action: upload app_location: apps/agent-app/src deployment_environment: previewPexip SDK (Edge Slot)
Section titled “Pexip SDK (Edge Slot)”Pull requests that modify packages/pexip-sdk/ deploy to the edge slot on fa-maxconf-test. This provides a developer preview at a separate URL without affecting the main test environment.
- Only one edge slot exists - the most recent PR push overwrites any previous deployment.
- The edge slot is not torn down when a PR is closed; it retains the last deployed code until the next PR push.
Environment Isolation
Section titled “Environment Isolation”| Environment | Auth Mechanism | Purpose |
|---|---|---|
test | SWA deployment tokens (env secrets), OIDC federated credentials | Non-production: developer preview, UAT, QA |
prod | SWA deployment tokens (env secrets), OIDC federated credentials | Production: live service |
Production workflows include additional safeguards:
- Tag-only triggers - production deploys only fire on namespaced tags, never on branch pushes
- Manual confirmation -
workflow_dispatchrequires typingdeployto proceed - Environment gates - the
prodenvironment can require reviewer approval before jobs execute