This document describes the CI/CD architecture for the Apache Teaclave website.
.github/workflows/
├── _reusable-build.yml # [Reusable] Shared build logic for Docker + website
├── pr-validation.yml # PR validation workflow (read-only)
├── deploy-staging.yml # Deploys build to asf-staging branch
├── promote-staging-to-production.yml # [Manual] Replaces asf-site with asf-staging
└── README.md # This file
pr-*.yml- PR validation workflows (read-only permissions)deploy-*.yml- Deployment workflows (write permissions)promote-*.yml- Manual promotion workflows (e.g. staging → production)_reusable-*.yml- Reusable workflows (called by others, underscore prefix)
- PR merged (or push to
master) → Deploy Staging runs → build is deployed to the asf-staging branch. Staging site is updated. - Verify → Visit the staging website and confirm everything looks correct.
- Promote to production → Go to Actions → "Promote Staging to Production" → Run workflow. This replaces the asf-site branch with the content of asf-staging, updating the final live website.
| Step | What happens |
|---|---|
| Merge / push to master | deploy-staging.yml → asf-staging updated |
| Manual check | You verify the staging site |
| Manual trigger | promote-staging-to-production.yml → asf-site = asf-staging |
- DRY (Don't Repeat Yourself): Shared build logic via reusable workflow
- Separation of Concerns: Separate workflows for validation vs deployment
- Least Privilege: Minimal permissions per workflow
- Security First: No credentials on disk, token in memory only
- Developer Experience: Clear feedback, fast builds, easy debugging
┌─────────────────────────────────────────────────────────────────────────┐
│ GitHub Repository Events │
│ │
│ Pull Request Push to master Manual Trigger │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌──────────────┐ ┌──────────────────────┐ │
│ │pr-validation│ │deploy- │ │promote-staging-to- │ │
│ │.yml │ │staging.yml │ │production.yml │ │
│ └────┬────────┘ └──────┬───────┘ │ (manual only) │ │
│ │ │ └──────────┬─────────────┘ │
│ │ │ │ │
│ ▼ ▼ │ │
│ ┌────────────────────────────────────────┐ │ │
│ │ _reusable-build.yml (Shared Logic) │ │ │
│ │ build-docker-image → build-website │ │ │
│ └────────────────────┬───────────────────┘ │ │
│ │ │ │
│ ┌────────────────┴────────────────┐ │ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ validate│ │deploy-staging│ │ promote │ │
│ └─────────┘ └──────┬───────┘ │ (asf-staging│ │
│ │ │ │ → asf-site)│ │
│ │ ▼ └──────┬───────┘ │
│ │ asf-staging │ │
│ │ (staging site) ▼ │
│ │ │ asf-site │
│ │ │ (live site) │
│ │ │ │
│ ▼ └──► Verify staging, then run │
│ Result: ✓ PR Check "Promote Staging to Production" │
└─────────────────────────────────────────────────────────────────────────┘