feat(staging): auto-refresh staging on every push to master

New .forgejo/workflows/staging.yml rebuilds ppms-staging to latest master on every merge (push to master) on the host runner, so staging always mirrors the trunk; concurrency-coalesced + workflow_dispatch. Also drops --update-env from staging-up.sh (and unsets FORGEJO_*) so the runner's ephemeral token can't leak into ppms-staging. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 01:07:49 +05:30 · 2026-06-21 01:07:49 +05:30 · 9f8297aa7e
commit 9f8297aa7e
parent 1feb43186d
3 changed files with 37 additions and 2 deletions
--- a/.forgejo/workflows/staging.yml
+++ b/.forgejo/workflows/staging.yml
@ -0,0 +1,27 @@
+name: Refresh staging
+
+# Rebuilds the pms1 staging instance (pm2 `ppms-staging`, port 3200) to the latest
+# master on every merge to master, so staging always mirrors the trunk for
+# smoke-testing before a release tag. Also runnable on demand (workflow_dispatch).
+# See automation/README.md > "Staging".
+
+on:
+  push:
+    branches: [master]
+  workflow_dispatch: {}
+
+# Only one staging refresh at a time; a newer master push cancels an in-flight build
+# (staging-up.sh always checks out the latest origin/master, so the newest wins).
+concurrency:
+  group: refresh-staging
+  cancel-in-progress: true
+
+jobs:
+  refresh:
+    runs-on: host
+    steps:
+      - name: Rebuild staging on latest master
+        run: |
+          set -e
+          export NVM_DIR="$HOME/.nvm"; . "$NVM_DIR/nvm.sh"
+          "$HOME/issue-watcher/staging-up.sh"
--- a/automation/README.md
+++ b/automation/README.md
@ -121,7 +121,11 @@ before a release tag deploys them to prod.
 - Checkout: `~/pelagia-staging` (separate from `~/pms` and `~/pelagia-autofix`)
 - Process: pm2 `ppms-staging` on **port 3200**, against the prod-mirror test DB
  (`pelagia_test`), safe dev mode (console email, local storage, SSO disabled).
- Refresh to newer master + restart: re-run `~/issue-watcher/staging-up.sh`.
+- **Auto-refresh:** [`.forgejo/workflows/staging.yml`](../.forgejo/workflows/staging.yml)
+  rebuilds staging on **every push to `master`** (i.e. every merged PR) on the host runner,
+  so staging always tracks the trunk. It runs `~/issue-watcher/staging-up.sh`; concurrent
+  runs are coalesced (newest master wins). Also triggerable on demand (`workflow_dispatch`).
+- Manual refresh / restart: re-run `~/issue-watcher/staging-up.sh`.
 - Stop: `pm2 delete ppms-staging`.
 - **Access is SSH-tunnel only** — the dev server binds to `127.0.0.1:3200`, so it is
  not reachable from the public internet. Open a tunnel and browse `http://localhost:3200`:
--- a/automation/staging-up.sh
+++ b/automation/staging-up.sh
@ -67,8 +67,12 @@ echo "Generating Prisma client..."; pnpm db:generate
 # must be applied or the new code 500s on the missing columns.
 echo "Applying pending migrations to the test DB..."; pnpm db:migrate:deploy

+# Drop any FORGEJO_* the caller may carry (e.g. when invoked from the Forgejo
+# Actions runner, whose ephemeral FORGEJO_TOKEN would otherwise be injected into
+# the staging process). NOT --update-env on restart, for the same reason.
+for v in $(env | grep -oE '^FORGEJO_[A-Z_]+' || true); do unset "$v"; done
 if pm2 describe "$NAME" >/dev/null 2>&1; then
-    pm2 restart "$NAME" --update-env
+    pm2 restart "$NAME"
 else
    pm2 start "$DIR/App/run-staging.sh" --name "$NAME" --interpreter bash
 fi