Main CI Pipeline

The ci.yml workflow is the primary CI/CD pipeline that runs on every push to the main branch.

Trigger

on:
  push:
    branches:
      - main

Concurrency

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

Cancels in-progress runs when new commits are pushed.

Jobs

1. Version

Calculates semantic version using conventional commits.

jobs:
  version:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.semantic-release.outputs.version }}
    steps:
      - uses: actions/checkout@v4
      - uses: badal-io/devex-reusable-workflows/.github/workflows/semantic-release.yml@main
        with:
          sha-prefix: "-sha."

Output: Version string like 1.2.3-sha.abc123

2. Terraform Apply (Non-Production)

Applies infrastructure changes using Terraform Cloud.

terraform-apply-non-production:
  uses: badal-io/devex-reusable-workflows/.github/workflows/tfc-apply.yml@main
  with:
    environment: non-production
    tfc_org: Badal_devex
    tfc_workspace: wrkspc-np-devex-backstage
    verify_artifact: true
    auto_apply: true
  secrets: inherit

Outputs:

artifact_id: Terraform outputs artifact ID
file_name: Terraform outputs file name

3. Build Package

Builds the Backstage application.

build-package:
  needs: [version]
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4

    - uses: actions/setup-node@v4
      with:
        node-version: 22
        cache: yarn
        cache-dependency-path: backstage/yarn.lock

    - name: Build & Package Archive
      working-directory: backstage
      env:
        NODE_OPTIONS: --max-old-space-size=8192
      run: |
        yarn install --immutable
        yarn tsc
        yarn build:backend

    - uses: actions/upload-artifact@v4
      with:
        name: backstage-build-${{ needs.version.outputs.version }}
        path: |
          backstage/packages/backend/dist/
          backstage/yarn.lock
        retention-days: 1

4. Deploy (Non-Production)

Deploys to Cloud Run using the reusable deployment workflow.

deploy-non-production:
  needs: [version, build-package, terraform-apply-non-production]
  uses: ./.github/workflows/ci-deploy.yml
  with:
    environment: non-production
    version: ${{ needs.version.outputs.version }}
    terraform-outputs-artifact-id: ${{ needs.terraform-apply-non-production.outputs.artifact_id }}
    terraform-outputs-file-name: ${{ needs.terraform-apply-non-production.outputs.file_name }}
    build-artifact-name: backstage-build-${{ needs.version.outputs.version }}
  secrets: inherit

Job Dependencies

Permissions

permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write
  actions: write
  attestations: write

Production Deployment

Production deployment jobs are commented out in the workflow:

# terraform-apply-production:
#   needs: [deploy-non-production]
#   ...

# deploy-production:
#   needs: [version, build-package, terraform-apply-production]
#   ...

To enable production deployment:

Uncomment the production jobs
Add manual approval gate
Configure wrkspc-p-devex-backstage workspace

Trigger​

Concurrency​

Jobs​

1. Version​

2. Terraform Apply (Non-Production)​

3. Build Package​

4. Deploy (Non-Production)​

Job Dependencies​

Permissions​

Production Deployment​

Related Documentation​