Automation deployment for staging and prod

[Ayush8923]

Issue: #22

Summary:

• Added GitHub Actions workflow to automate frontend deployment on push to main and release branch.
• Replaced manual EC2 deployment (git pull) with automated SSH-based pipeline

Summary by CodeRabbit

• Chores
  • Added automated deployment workflows for both staging and production environments.
  • Deployments now remotely update servers, install dependencies, build the frontend, and restart the running app—reducing manual release steps, speeding rollouts, and improving consistency and uptime.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Two new GitHub Actions workflows were added to deploy the Kaapi frontend to EC2: staging (triggers on pushes to feat/frontend-cicd-deployment) and production (triggers on pushes to release). Each SSHes to an EC2 host, pulls code, installs deps, builds, and manages the PM2 process.

Changes

Cohort / File(s)	Summary
CD Workflows .github/workflows/cd-staging.yml, .github/workflows/cd-production.yml	Added two deployment workflows. Each checks out the repo, SSHes to an EC2 host using secrets, cds to the configured build directory, pulls the configured branch (main for staging script, release for production), stops the PM2 app (tolerates missing process), runs npm ci and npm run build, then starts the PM2 process.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor GitHubActions as "GitHub Actions"
    participant Runner as "Actions Runner\n(ubuntu-latest)"
    participant EC2 as "EC2 Host"
    participant PM2 as "PM2\n(process manager)"
    GitHubActions->>Runner: trigger on push (feat/frontend-cicd-deployment / release)
    Runner->>EC2: SSH using secrets (host, user, key)
    EC2->>EC2: cd $BUILD_DIRECTORY\ngit pull origin (branch)\nset -e
    EC2->>PM2: pm2 stop $PM2_APP_NAME || true
    EC2->>EC2: npm ci\nnpm run build
    EC2->>PM2: pm2 start $PM2_APP_NAME
    PM2-->>Runner: process started / restarted

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐇 I hopped to GitHub with keys in paw,
I pulled release and main without a flaw,
PM2 yawned and rose from its den,
Builds ran bright — then I hopped again,
Carrot in hand, I cheered: “Deployed!”

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding GitHub Actions workflows for automated deployment to both staging and production environments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/frontend-cicd-deployment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

.github/workflows/cd-production.yml (1)

13-45: Extract shared staging/production logic into a reusable workflow.

This deployment block is largely duplicated across both workflow files, which increases drift risk and patch latency for fixes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 13 - 45, Deployment steps
using the appleboy/ssh-action@v1.0.3 and the SCRIPT_NAME/pm2/npm sequence are
duplicated; extract this shared SSH deploy logic (the step named "Deploy via
SSH" and its script that uses SCRIPT_NAME, pm2 stop/start, npm ci, npm run
build, git pull) into a reusable workflow (e.g., a workflow called "deploy-ssh"
that exposes inputs like host, user, key, project_path and SCRIPT_NAME and uses
workflow_call), then replace the duplicated blocks in both staging and
production workflows with a single call to that reusable workflow (use the
workflow_call inputs to pass secrets/values). Ensure the reusable workflow
preserves the set -e script behavior and existing environment variable names so
pm2/npm/git commands continue to work unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cd-production.yml:
- Around line 41-42: Add a pre-build guard that fails the job if the required
build-time env var NEXT_PUBLIC_BACKEND_URL is missing so the pipeline cannot run
npm run build (next build) with an invalid config; implement this by inserting a
step before the "===== Build Application =====" / npm run build step that checks
for NEXT_PUBLIC_BACKEND_URL (exit non‑zero and echo a clear error if unset or
empty) so the workflow fails fast when the variable is absent.
- Around line 32-33: The current deployment uses a non-deterministic "git pull
origin release" which can create merge commits or leave a dirty working tree;
replace that step with an explicit fetch and hard-reset sequence: run "git fetch
--prune origin release", then "git reset --hard origin/release" and optionally
"git clean -fdx" to remove untracked files, ensuring the script enforces an
exact branch state before continuing (replace the "git pull origin release"
invocation).

In @.github/workflows/cd-staging.yml:
- Around line 9-24: The deploy job is not scoped to staging and uses generic
secret names; update the job definition for the deploy job to include an
environment: staging and switch all generic secrets and env refs to
staging-specific secrets (e.g., replace secrets.EC2_HOST, secrets.EC2_USER,
secrets.EC2_SSH_KEY, and secrets.PM2_APP_NAME with secrets.STAGING_EC2_HOST,
secrets.STAGING_EC2_USER, secrets.STAGING_EC2_SSH_KEY,
secrets.STAGING_PM2_APP_NAME) so the appleboy/ssh-action invocation and
SCRIPT_NAME env use staging-only values and cannot target production.
- Around line 35-45: The script currently stops the PM2 process (pm2 stop
"$SCRIPT_NAME") before running npm ci and npm run build, which can leave the
service down if build fails; move the pm2 stop/restart sequence so that npm ci
and npm run build run first and only after they succeed perform the process
restart, and replace the stop + start sequence with pm2 reload "$SCRIPT_NAME"
(or pm2 reload ecosystem file) to achieve a zero-downtime restart; ensure the
commands referencing SCRIPT_NAME and the pm2 invocation are relocated after the
build steps and that failures in npm ci/npm run build do not stop a currently
running instance.
- Around line 18-25: Add SSH host key fingerprint verification to the
appleboy/ssh-action@v1.0.3 invocation by supplying the fingerprint parameter
(use a repository secret like SSH_HOST_FINGERPRINT) alongside the existing with:
host/username/key entries; update the workflow to read the fingerprint from
secrets and pass it into the action so the action performs host key pinning and
prevents MITM attacks during deployments.

---

Nitpick comments:
In @.github/workflows/cd-production.yml:
- Around line 13-45: Deployment steps using the appleboy/ssh-action@v1.0.3 and
the SCRIPT_NAME/pm2/npm sequence are duplicated; extract this shared SSH deploy
logic (the step named "Deploy via SSH" and its script that uses SCRIPT_NAME, pm2
stop/start, npm ci, npm run build, git pull) into a reusable workflow (e.g., a
workflow called "deploy-ssh" that exposes inputs like host, user, key,
project_path and SCRIPT_NAME and uses workflow_call), then replace the
duplicated blocks in both staging and production workflows with a single call to
that reusable workflow (use the workflow_call inputs to pass secrets/values).
Ensure the reusable workflow preserves the set -e script behavior and existing
environment variable names so pm2/npm/git commands continue to work unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 94bb20bf-62eb-4db7-871b-95ae6154fa90

📥 Commits

Reviewing files that changed from the base of the PR and between 1b29e4b and 6c3d49c.

📒 Files selected for processing (2)

• .github/workflows/cd-production.yml
• .github/workflows/cd-staging.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.github/workflows/cd-production.yml (2)

32-33: ⚠️ Potential issue | 🟠 Major

Replace git pull with deterministic branch sync.

Line 33 can deploy a merged/dirty state. Use fetch + hard reset to origin/release instead.

Suggested fix

             echo "=== Fetch Latest Code ==="
-            git pull origin release
+            git fetch --prune origin release
+            git reset --hard origin/release
+            git clean -fdx

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 32 - 33, Replace the
non-deterministic git pull in the deployment step with an explicit fetch and
hard reset to the remote branch: instead of running "git pull origin release"
update the workflow to run "git fetch origin release" followed by "git reset
--hard origin/release" (optionally add a shallow fetch depth) so the working
tree is deterministically synced to origin/release before building or deploying.

---

41-42: ⚠️ Potential issue | 🟠 Major

Fail fast when required build-time env vars are missing.

next build can succeed with missing runtime-critical config. Add an explicit guard before Line 42.

Suggested fix

             echo "=== Build Application ==="
+            : "${NEXT_PUBLIC_BACKEND_URL:?NEXT_PUBLIC_BACKEND_URL is required for production build}"
             npm run build

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 41 - 42, Before running the
build step (the npm run build / next build invocation), add a shell guard that
checks the required build-time environment variables and exits non-zero if any
are missing; implement this by enumerating the required names (e.g.,
NEXT_PUBLIC_API_URL, NEXTAUTH_URL, etc.) in a list, iterating over them in a
small bash snippet that tests each with [ -z "${VAR}" ] and prints which are
missing, then exit 1 if any were empty—place this check immediately before the
npm run build line so the workflow fails fast on missing build-time env vars.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cd-production.yml:
- Around line 22-25: Add host key pinning for the appleboy/ssh-action@v1.0.3 SSH
step by providing the `fingerprint` input so the EC2 host identity is verified;
update the SSH action block that currently contains `host`, `username`, `key`,
and `script_stop` to include `fingerprint: "<expected_host_key_fingerprint>"`
(replace with the actual EC2 SSH host key fingerprint) to enforce host key
verification and prevent MITM.
- Around line 35-45: Replace the unreliable pm2 start call with a
restart-or-start flow: attempt pm2 restart "$SCRIPT_NAME" first and if that
fails fall back to starting npm as a named process (e.g., pm2 start npm --name
"$SCRIPT_NAME" -- start) so PM2 treats the process as the previously registered
app; update the block that currently calls pm2 stop "$SCRIPT_NAME" and pm2 start
"$SCRIPT_NAME" to use pm2 restart "$SCRIPT_NAME" || pm2 start npm --name
"$SCRIPT_NAME" -- start (keeping npm ci and npm run build intact).

---

Duplicate comments:
In @.github/workflows/cd-production.yml:
- Around line 32-33: Replace the non-deterministic git pull in the deployment
step with an explicit fetch and hard reset to the remote branch: instead of
running "git pull origin release" update the workflow to run "git fetch origin
release" followed by "git reset --hard origin/release" (optionally add a shallow
fetch depth) so the working tree is deterministically synced to origin/release
before building or deploying.
- Around line 41-42: Before running the build step (the npm run build / next
build invocation), add a shell guard that checks the required build-time
environment variables and exits non-zero if any are missing; implement this by
enumerating the required names (e.g., NEXT_PUBLIC_API_URL, NEXTAUTH_URL, etc.)
in a list, iterating over them in a small bash snippet that tests each with [ -z
"${VAR}" ] and prints which are missing, then exit 1 if any were empty—place
this check immediately before the npm run build line so the workflow fails fast
on missing build-time env vars.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b6b14c7-3d4b-475f-94d7-3ff376c20f36

📥 Commits

Reviewing files that changed from the base of the PR and between 6c3d49c and 725f60f.

📒 Files selected for processing (2)

• .github/workflows/cd-production.yml
• .github/workflows/cd-staging.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/cd-staging.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cd-staging.yml:
- Around line 20-22: The CI sets SCRIPT_NAME but does not forward it into the
remote ssh steps; update the appleboy/ssh-action steps to pass SCRIPT_NAME via
the with.envs map so the remote shell sees the app name (use the existing
secrets.PM2_APP_NAME value). Specifically, add SCRIPT_NAME: ${{
secrets.PM2_APP_NAME }} to the with.envs of the appleboy/ssh-action invocations
(both the deploy step around the first ssh-action and the later one referenced
at lines 37–46) so commands run remotely with a populated app name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 846964fd-bb85-4d73-95d7-089eed4fb331

📥 Commits

Reviewing files that changed from the base of the PR and between 725f60f and ff4167b.

📒 Files selected for processing (2)

• .github/workflows/cd-production.yml
• .github/workflows/cd-staging.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/cd-production.yml

[Ayush8923]

Production uses the release branch, as discussed in the GitHub issue.

For reference, you can check it here: #22 (comment)

[vprashrex]

Sorry for confusion, my exact statement was this: can use main branch for staging and use release for production same way the Kaapi-backend is working or else use dev branch for staging and main branch for prod

Here I want to say use release means GitHub release not branch name release ... again sorry for the confusion

[Ayush8923]

I have update the flow same as the backend so in the production automation deployment only run when tags like v1.0.0, v2.1.0, etc., are created. and also updated the Readme accordingly.

[vprashrex]

great

[coderabbitai]

♻️ Duplicate comments (4)

.github/workflows/cd-production.yml (4)

37-47: ⚠️ Potential issue | 🟠 Major

Replace stop/start with restart-or-start PM2 flow.

Line 47 still depends on pm2 start "$PM2_APP_NAME" path; first deploys or registration drift can fail startup.

Suggested fix

-            echo "=== Stop Running Application ==="
-            pm2 stop "$PM2_APP_NAME" || true
@@
-            echo "=== Start Application ==="
-            pm2 start "$PM2_APP_NAME"
+            echo "=== Start/Restart Application ==="
+            if pm2 describe "$PM2_APP_NAME" >/dev/null 2>&1; then
+              pm2 restart "$PM2_APP_NAME" --update-env
+            else
+              pm2 start npm --name "$PM2_APP_NAME" -- start
+            fi
+            pm2 save

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 37 - 47, The workflow
currently uses "pm2 stop \"$PM2_APP_NAME\"" and then "pm2 start
\"$PM2_APP_NAME\"" which can fail when the app isn't registered; replace that
stop/start sequence with a restart-or-start flow so deployments work whether the
process exists or not: use pm2 restart "$PM2_APP_NAME" (or pm2 restart
"$PM2_APP_NAME" --update-env) and fall back to pm2 start "$PM2_APP_NAME" if
restart fails, keeping the same PM2_APP_NAME variable and ensuring the commands
run after build.

---

34-35: ⚠️ Potential issue | 🟠 Major

Use deterministic branch sync instead of git pull.

Line 35 can merge or keep drifted state on the server; deployment should force exact origin/release.

Suggested fix

             echo "=== Fetch Latest Code ==="
-            git pull origin release
+            git fetch --prune origin
+            git checkout -B release origin/release
+            git reset --hard origin/release

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 34 - 35, Replace the
non-deterministic "git pull origin release" with an explicit fetch and
hard-reset to the remote branch so the deployment always matches origin/release;
update the workflow to run a deterministic sequence such as fetching from origin
(e.g., "git fetch --prune origin") and then resetting or recreating the local
branch to exactly match origin/release (e.g., "git reset --hard origin/release"
or "git checkout -B release origin/release") instead of using "git pull origin
release".

---

24-27: ⚠️ Potential issue | 🟠 Major

Pin the EC2 SSH host key fingerprint.

Line 24-Line 27 still omit host key pinning, so SSH target identity is not enforced during deploy.

Suggested fix

         with:
           host: ${{ secrets.EC2_HOST }}
           username: ${{ secrets.EC2_USER }}
           key: ${{ secrets.EC2_SSH_KEY }}
+          fingerprint: ${{ secrets.EC2_HOST_FINGERPRINT }}
           script_stop: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 24 - 27, The workflow
currently sets host/username/key but doesn’t pin the EC2 SSH host key; update
the step that uses host/username/key (the SSH/deploy action) to enforce host key
verification by adding a pinned host key/known_hosts entry (e.g., a host_key or
known_hosts parameter referencing a secret containing the EC2 server's public
key or fingerprint) so the action verifies the target identity instead of
accepting any host; ensure the secret value is created from the EC2 instance's
SSH host public key or its fingerprint and referenced in the step alongside
host, username, and key.

---

20-23: ⚠️ Potential issue | 🟠 Major

Fail fast when required build-time env var is missing.

npm run build can succeed with an invalid runtime config if required public env vars are absent.

Suggested fix

         env:
           PM2_APP_NAME: ${{ secrets.PM2_APP_NAME }}
           BUILD_DIRECTORY: ${{ secrets.BUILD_DIRECTORY }}
+          NEXT_PUBLIC_BACKEND_URL: ${{ secrets.NEXT_PUBLIC_BACKEND_URL }}
@@
             echo "=== Build Application ==="
+            : "${NEXT_PUBLIC_BACKEND_URL:?NEXT_PUBLIC_BACKEND_URL is required for production build}"
             npm run build

Also applies to: 43-44

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cd-production.yml around lines 20 - 23, Add a pre-build
check step in the GitHub Actions job that verifies required build-time env vars
(PM2_APP_NAME and BUILD_DIRECTORY) are set and exits non-zero if any are missing
so the workflow fails fast before running npm run build; place this check before
the build step and mirror it for the other job that also uses those vars (the
block referenced by the second occurrence), referencing the env keys
PM2_APP_NAME and BUILD_DIRECTORY in the validation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/cd-production.yml:
- Around line 37-47: The workflow currently uses "pm2 stop \"$PM2_APP_NAME\""
and then "pm2 start \"$PM2_APP_NAME\"" which can fail when the app isn't
registered; replace that stop/start sequence with a restart-or-start flow so
deployments work whether the process exists or not: use pm2 restart
"$PM2_APP_NAME" (or pm2 restart "$PM2_APP_NAME" --update-env) and fall back to
pm2 start "$PM2_APP_NAME" if restart fails, keeping the same PM2_APP_NAME
variable and ensuring the commands run after build.
- Around line 34-35: Replace the non-deterministic "git pull origin release"
with an explicit fetch and hard-reset to the remote branch so the deployment
always matches origin/release; update the workflow to run a deterministic
sequence such as fetching from origin (e.g., "git fetch --prune origin") and
then resetting or recreating the local branch to exactly match origin/release
(e.g., "git reset --hard origin/release" or "git checkout -B release
origin/release") instead of using "git pull origin release".
- Around line 24-27: The workflow currently sets host/username/key but doesn’t
pin the EC2 SSH host key; update the step that uses host/username/key (the
SSH/deploy action) to enforce host key verification by adding a pinned host
key/known_hosts entry (e.g., a host_key or known_hosts parameter referencing a
secret containing the EC2 server's public key or fingerprint) so the action
verifies the target identity instead of accepting any host; ensure the secret
value is created from the EC2 instance's SSH host public key or its fingerprint
and referenced in the step alongside host, username, and key.
- Around line 20-23: Add a pre-build check step in the GitHub Actions job that
verifies required build-time env vars (PM2_APP_NAME and BUILD_DIRECTORY) are set
and exits non-zero if any are missing so the workflow fails fast before running
npm run build; place this check before the build step and mirror it for the
other job that also uses those vars (the block referenced by the second
occurrence), referencing the env keys PM2_APP_NAME and BUILD_DIRECTORY in the
validation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 28e9a87d-11c4-41cd-ad33-00f71346b91b

📥 Commits

Reviewing files that changed from the base of the PR and between ff4167b and 8d79917.

📒 Files selected for processing (2)

• .github/workflows/cd-production.yml
• .github/workflows/cd-staging.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/cd-staging.yml

[Ayush8923]

As per the discussion with @Prajna1999, we can likely set this up upcoming Tuesday, as we need some server access from Vijay. Once we have that, we can proceed with merging this and testing it.