Skip to content

feat: staging deploy workflow via deploy label#20

Open
nthh wants to merge 4 commits into
mainfrom
feat/staging-deploy
Open

feat: staging deploy workflow via deploy label#20
nthh wants to merge 4 commits into
mainfrom
feat/staging-deploy

Conversation

@nthh
Copy link
Copy Markdown
Owner

@nthh nthh commented Feb 11, 2026
edited
Loading

Summary

  • Adds a CI workflow that deploys PRs to staging.remolt.dev when a maintainer adds the deploy label
  • Uses the existing Cloudflare tunnel — adds/removes an ingress rule at deploy/teardown time
  • Kustomize overlay in k8s/staging/ reuses base manifests with namespace + env overrides
  • Race condition guard: fails if another PR already has the label
  • Posts staging URL / teardown confirmation as PR comments
  • Uses pull_request_target to prevent malicious PRs from exfiltrating kubeconfig

New files

  • .github/workflows/staging.yml — deploy + teardown jobs triggered by label events
  • k8s/staging/kustomization.yaml — overlay referencing base manifests
  • k8s/staging/server-patch.yaml — env var overrides (lower limits, staging namespace/origin)
  • .env.staging.example — template for staging OAuth credentials

Prerequisites (one-time manual setup)

  • GitHub OAuth app for staging.remolt.dev (callback: https://staging.remolt.dev/auth/callback)
  • Cloudflare DNS CNAME: staging.remolt.dev → existing tunnel UUID
  • Create .env.staging from .env.staging.example, fill in OAuth creds
  • Apply secret to cluster: 
    source .env.staging
kubectl create namespace remolt-staging --dry-run=client -o yaml | kubectl apply -f -
kubectl -n remolt-staging create secret generic remolt-auth \
  --from-literal=GITHUB_CLIENT_ID=$GITHUB_CLIENT_ID \
  --from-literal=GITHUB_CLIENT_SECRET=$GITHUB_CLIENT_SECRET \
  --from-literal=COOKIE_SECRET=$COOKIE_SECRET \
  --dry-run=client -o yaml | kubectl apply -f -

No GitHub environment or extra GitHub Actions secrets needed — only the existing repo-level KUBECONFIG_BASE64.

Test plan

  • Add deploy label to a PR → staging workflow runs, comment appears with URL
  • Visit staging.remolt.dev → OAuth works, can create session
  • Remove deploy label → teardown runs, resources cleaned up
  • Two PRs with deploy label → second fails with error

🤖 Generated with Claude Code

nthh and others added 4 commits February 11, 2026 15:57
@nthh @claude
feat: staging deploy workflow via deploy PR label
68d5313 
Add a CI workflow that deploys PRs to staging.remolt.dev when a
maintainer adds the `deploy` label. Uses the existing Cloudflare
tunnel — just adds/removes an ingress rule at deploy/teardown time.

- k8s/staging/ kustomize overlay (reuses base manifests, overrides
  namespace to remolt-staging + lower resource limits)
- .github/workflows/staging.yml with deploy + teardown jobs
- Race condition guard: fails if another PR already has the label
- Posts staging URL / teardown confirmation as PR comments

Prerequisites (one-time manual setup):
- GitHub OAuth app for staging.remolt.dev
- GitHub environment `staging` with OAuth secrets
- Cloudflare DNS CNAME for staging.remolt.dev

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nthh @claude
fix: use pre-provisioned K8s secrets instead of GitHub env secrets
9c4ec10 
OAuth secrets (remolt-auth) are stored directly in the cluster, same
as production. No GitHub environment or STAGING_* secrets needed —
just the existing KUBECONFIG_BASE64 repo secret.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nthh @claude
security: use pull_request_target to protect kubeconfig secret
08d1365 
pull_request_target runs the workflow from main, not the PR branch.
This prevents a malicious PR from modifying staging.yml to exfiltrate
the KUBECONFIG_BASE64 secret. The PR code is still checked out for
building the Docker image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nthh @claude
docs: add staging env example and gitignore .env.staging
374b159 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nthh
Copy link
Copy Markdown
Owner Author

nthh commented Feb 11, 2026

Known gaps for agent web UI proxy (OpenClaw etc.)

Before testing OpenClaw end-to-end, these need to be addressed:

  1. WebSocket proxy is missing. The /proxy/{session_id}/{path} route only handles HTTP methods. Agent dashboards (OpenClaw included) will almost certainly use WebSockets for real-time updates — those connections will fail silently.

  2. Path rewriting. The dashboard is served at /proxy/{session_id}/ but the app expects to be at /. Asset loads (/js/app.js), API calls (/api/status), etc. will miss the proxy prefix and hit remolt's SPA fallback instead. Need either path rewriting in the proxy or a <base> tag injection.

  3. Network policy verification. The current NetworkPolicy allows ingress to sandbox pods only from app: remolt-server. The proxy reaches sandbox pods via the K8s pod proxy API (not direct pod-to-pod), so this should work — but needs to be verified for non-standard ports like 18789.

  4. OpenClaw specifics. We assumed npm install -g openclaw, port 18789, and specific CLI flags. These need to be validated against actual OpenClaw docs before the agent image will work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nthh