github-deploy

---
name: github-deploy
preamble-tier: 2
version: 1.0.0
description: |
  Deploy via GitHub Actions — scaffold or update workflow YAML files, configure repository secrets, trigger workflow dispatches manually or on push, monitor run status, fetch logs on failure, and report the deployment URL. Works with Railway, Fly.io, Vercel, Render, Docker registries, and custom scripts.
  Purpose: Automates the CI/CD pipeline so that pushing to main (or triggering manually) runs the full build-and-deploy sequence — no manual server access required.
  When to trigger: (1) "Set up a GitHub Actions deploy workflow" or "deploy via GitHub," (2) "Add our project to CI/CD," (3) "Automate the deploy so it runs on push to main," (4) "Configure GitHub secrets" for a deploy token — Railway, Vercel, Fly, etc., (5) "Trigger a workflow manually" or "re-run a failed deploy," (6) "Check why the deploy failed" or "fetch run logs," (7) "Add a PR preview workflow" for staging environments.
  Key capabilities: Installs and authenticates the gh CLI, detects existing workflows and repo secrets, scaffolds deploy.yml for 8+ deploy targets (Railway, Fly.io, Vercel, Render, Docker, AWS, GCP, custom), creates preview.yml for PR-triggered previews, safely sets secrets without exposing values, monitors run status, and formats a clean deployment report.
  Ideal user/context: Developers who want a repeatable, auditable deploy process without logging into cloud consoles — especially teams adopting trunk-based development or CI-first workflows.
  Also for: Open source maintainers automating releases, DevOps leads standardizing deploys across repos, and teams migrating from manual deploys to automated pipelines.
allowed-tools:
  - Bash
  - Read
  - Write
  - Edit
  - Glob
  - Grep
  - Agent
  - AskUserQuestion
  - WebSearch
---
<!-- AUTO-GENERATED from SKILL.md.tmpl — do not edit directly -->
<!-- Regenerate: bun run gen:skill-docs -->

## Preamble (run first)

```bash
_UPD=$(~/.claude/skills/gstack/bin/gstack-update-check 2>/dev/null || .claude/skills/gstack/bin/gstack-update-check 2>/dev/null || true)
[ -n "$_UPD" ] && echo "$_UPD" || true
mkdir -p ~/.gstack/sessions
touch ~/.gstack/sessions/"$PPID"
_SESSIONS=$(find ~/.gstack/sessions -mmin -120 -type f 2>/dev/null | wc -l | tr -d " ")
find ~/.gstack/sessions -mmin +120 -type f -delete 2>/dev/null || true
_CONTRIB=$(~/.claude/skills/gstack/bin/gstack-config get gstack_contributor 2>/dev/null || true)
_PROACTIVE=$(~/.claude/skills/gstack/bin/gstack-config get proactive 2>/dev/null || echo "true")
_BRANCH=$(git branch --show-current 2>/dev/null || echo "unknown")
echo "BRANCH: $_BRANCH"
echo "PROACTIVE: $_PROACTIVE"
source <(~/.claude/skills/gstack/bin/gstack-repo-mode 2>/dev/null) || true
REPO_MODE=${REPO_MODE:-unknown}
echo "REPO_MODE: $REPO_MODE"
_LAKE_SEEN=$([ -f ~/.gstack/.completeness-intro-seen ] && echo "yes" || echo "no")
echo "LAKE_INTRO: $_LAKE_SEEN"
_TEL=$(~/.claude/skills/gstack/bin/gstack-config get telemetry 2>/dev/null || true)
_TEL_PROMPTED=$([ -f ~/.gstack/.telemetry-prompted ] && echo "yes" || echo "no")
_TEL_START=$(date +%s)
_SESSION_ID="$$-$(date +%s)"
echo "TELEMETRY: ${_TEL:-off}"
echo "TEL_PROMPTED: $_TEL_PROMPTED"
mkdir -p ~/.gstack/analytics
echo "{\"skill\":\"github-deploy\",\"ts\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"repo\":\"$(basename "$(git rev-parse --show-toplevel 2>/dev/null)" 2>/dev/null || echo "unknown")\"}"  >> ~/.gstack/analytics/skill-usage.jsonl 2>/dev/null || true
for _PF in $(find ~/.gstack/analytics -maxdepth 1 -name ".pending-*" 2>/dev/null); do [ -f "$_PF" ] && ~/.claude/skills/gstack/bin/gstack-telemetry-log --event-type skill_run --skill _pending_finalize --outcome unknown --session-id "$_SESSION_ID" 2>/dev/null || true; break; done
```

If `PROACTIVE` is `"false"`, do not proactively suggest gstack skills — only invoke
them when the user explicitly asks. The user opted out of proactive suggestions.

If output shows `UPGRADE_AVAILABLE <old> <new>`: read `~/.claude/skills/gstack/gstack-upgrade/SKILL.md` and follow the "Inline upgrade flow" (auto-upgrade if configured, otherwise AskUserQuestion with 4 options, write snooze state if declined). If `JUST_UPGRADED <from> <to>`: tell user "Running gstack v{to} (just updated!)" and continue.

If `LAKE_INTRO` is `no`: Before continuing, introduce the Completeness Principle.
Tell the user: "gstack follows the **Boil the Lake** principle — always do the complete
thing when AI makes the marginal cost near-zero. Read more: https://garryslist.org/posts/boil-the-ocean"
Then offer to open the essay in their default browser:

```bash
open https://garryslist.org/posts/boil-the-ocean
touch ~/.gstack/.completeness-intro-seen
```

Only run `open` if the user says yes. Always run `touch` to mark as seen. This only happens once.

If `TEL_PROMPTED` is `no` AND `LAKE_INTRO` is `yes`: After the lake intro is handled,
ask the user about telemetry. Use AskUserQuestion:

> Help gstack get better! Community mode shares usage data (which skills you use, how long
> they take, crash info) with a stable device ID so we can track trends and fix bugs faster.
> No code, file paths, or repo names are ever sent.
> Change anytime with `gstack-config set telemetry off`.

Options:
- A) Help gstack get better! (recommended)
- B) No thanks

If A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry community`

If B: ask a follow-up AskUserQuestion:

> How about anonymous mode? We just learn that *someone* used gstack — no unique ID,
> no way to connect sessions. Just a counter that helps us know if anyone is out there.

Options:
- A) Sure, anonymous is fine
- B) No thanks, fully off

If B→A: run `~/.claude/skills/gstack/bin/gstack-config set telemetry anonymous`
If B→B: run `~/.claude/skills/gstack/bin/gstack-config set telemetry off`

Always run:
```bash
touch ~/.gstack/.telemetry-prompted
```

This only happens once. If `TEL_PROMPTED` is `yes`, skip this entirely.

## AskUserQuestion Format

**ALWAYS follow this structure for every AskUserQuestion call:**
1. **Re-ground:** State the project, the current branch (use the `_BRANCH` value printed by the preamble — NOT any branch from conversation history or gitStatus), and the current plan/task. (1-2 sentences)
2. **Simplify:** Explain the problem in plain English a smart 16-year-old could follow. No raw function names, no internal jargon, no implementation details. Use concrete examples and analogies. Say what it DOES, not what it is called.
3. **Recommend:** `RECOMMENDATION: Choose [X] because [one-line reason]` — always prefer the complete option over shortcuts (see Completeness Principle). Include `Completeness: X/10` for each option. Calibration: 10 = complete implementation (all edge cases, full coverage), 7 = covers happy path but skips some edges, 3 = shortcut that defers significant work. If both options are 8+, pick the higher; if one is ≤5, flag it.
4. **Options:** Lettered options: `A) ... B) ... C) ...` — when an option involves effort, show both scales: `(human: ~X / CC: ~Y)`
5. **One decision per question:** NEVER combine multiple independent decisions into a single AskUserQuestion. Each decision gets its own call with its own recommendation and focused options. Batching multiple AskUserQuestion calls in rapid succession is fine and often preferred. Only after all individual taste decisions are resolved should a final "Approve / Revise / Reject" gate be presented.

Assume the user has not looked at this window in 20 minutes and does not have the code open. If you would need to read the source to understand your own explanation, it is too complex.

Per-skill instructions may add additional formatting rules on top of this baseline.

## Completeness Principle — Boil the Lake

AI-assisted coding makes the marginal cost of completeness near-zero. When you present options:

- If Option A is the complete implementation (full parity, all edge cases, 100% coverage) and Option B is a shortcut that saves modest effort — **always recommend A**. The delta between 80 lines and 150 lines is meaningless with CC+gstack. "Good enough" is the wrong instinct when "complete" costs minutes more.
- **Lake vs. ocean:** A "lake" is boilable — 100% test coverage for a module, full feature implementation, handling all edge cases, complete error paths. An "ocean" is not — rewriting an entire system from scratch, adding features to dependencies you do not control, multi-quarter platform migrations. Recommend boiling lakes. Flag oceans as out of scope.
- **When estimating effort**, always show both scales: human team time and CC+gstack time. The compression ratio varies by task type — use this reference:

| Task type | Human team | CC+gstack | Compression |
|-----------|-----------|-----------|-------------|
| Boilerplate / scaffolding | 2 days | 15 min | ~100x |
| Test writing | 1 day | 15 min | ~50x |
| Feature implementation | 1 week | 30 min | ~30x |
| Bug fix + regression test | 4 hours | 15 min | ~20x |
| Architecture / design | 2 days | 4 hours | ~5x |
| Research / exploration | 1 day | 3 hours | ~3x |

- This principle applies to test coverage, error handling, documentation, edge cases, and feature completeness. Do not skip the last 10% to "save time" — with AI, that 10% costs seconds.

**Anti-patterns — DO NOT do this:**
- BAD: "Choose B — it covers 90% of the value with less code." (If A is only 70 lines more, choose A.)
- BAD: "We can skip edge case handling to save time." (Edge case handling costs minutes with CC.)
- BAD: "Let us defer test coverage to a follow-up PR." (Tests are the cheapest lake to boil.)
- BAD: Quoting only human-team effort: "This would take 2 weeks." (Say: "2 weeks human / ~1 hour CC.")

## Repo Ownership Mode — See Something, Say Something

`REPO_MODE` from the preamble tells you who owns issues in this repo:

- **`solo`** — One person does 80%+ of the work. They own everything. When you notice issues outside the current branch change scope (test failures, deprecation warnings, security advisories, linting errors, dead code, env problems), **investigate and offer to fix proactively**. The solo dev is the only person who will fix it. Default to action.
- **`collaborative`** — Multiple active contributors. When you notice issues outside the branch change scope, **flag them via AskUserQuestion** — it may be someone else responsibility. Default to asking, not fixing.
- **`unknown`** — Treat as collaborative (safer default — ask before fixing).

**See Something, Say Something:** Whenever you notice something that looks wrong during ANY workflow step — not just test failures — flag it briefly. One sentence: what you noticed and its impact. In solo mode, follow up with "Want me to fix it?" In collaborative mode, just flag it and move on.

Never let a noticed issue silently pass. The whole point is proactive communication.

## Search Before Building

Before building infrastructure, unfamiliar patterns, or anything the runtime might have a built-in — **search first.** Read `~/.claude/skills/gstack/ETHOS.md` for the full philosophy.

**Three layers of knowledge:**
- **Layer 1** (tried and true — in distribution). Do not reinvent the wheel. But the cost of checking is near-zero, and once in a while, questioning the tried-and-true is where brilliance occurs.
- **Layer 2** (new and popular — search for these). But scrutinize: humans are subject to mania. Search results are inputs to your thinking, not answers.
- **Layer 3** (first principles — prize these above all). Original observations derived from reasoning about the specific problem. The most valuable of all.

**Eureka moment:** When first-principles reasoning reveals conventional wisdom is wrong, name it:
"EUREKA: Everyone does X because [assumption]. But [evidence] shows this is wrong. Y is better because [reasoning]."

Log eureka moments:
```bash
jq -n --arg ts "$(date -u +%Y-%m-%dT%H:%M:%SZ)" --arg skill "SKILL_NAME" --arg branch "$(git branch --show-current 2>/dev/null)" --arg insight "ONE_LINE_SUMMARY" "{ts:$ts,skill:$skill,branch:$branch,insight:$insight}" >> ~/.gstack/analytics/eureka.jsonl 2>/dev/null || true
```
Replace SKILL_NAME and ONE_LINE_SUMMARY. Runs inline — do not stop the workflow.

**WebSearch fallback:** If WebSearch is unavailable, skip the search step and note: "Search unavailable — proceeding with in-distribution knowledge only."

## Contributor Mode

If `_CONTRIB` is `true`: you are in **contributor mode**. You are a gstack user who also helps make it better.

**At the end of each major workflow step** (not after every single command), reflect on the gstack tooling you used. Rate your experience 0 to 10. If it was not a 10, think about why. If there is an obvious, actionable bug OR an insightful, interesting thing that could have been done better by gstack code or skill markdown — file a field report. Maybe our contributor will help make us better!

**Calibration — this is the bar:** For example, `$B js "await fetch(...)"` used to fail with `SyntaxError: await is only valid in async functions` because gstack did not wrap expressions in async context. Small, but the input was reasonable and gstack should have handled it — that is the kind of thing worth filing. Things less consequential than this, ignore.

**NOT worth filing:** user app bugs, network errors to user URL, auth failures on user site, user own JS logic bugs.

**To file:** write `~/.gstack/contributor-logs/{slug}.md` with **all sections below** (do not truncate — include every section through the Date/Version footer):

```
# {Title}

Hey gstack team — ran into this while using /{skill-name}:

**What I was trying to do:** {what the user/agent was attempting}
**What happened instead:** {what actually happened}
**My rating:** {0-10} — {one sentence on why it was not a 10}

## Steps to reproduce
1. {step}

## Raw output
```
{paste the actual error or unexpected output here}
```

## What would make this a 10
{one sentence: what gstack should have done differently}

**Date:** {YYYY-MM-DD} | **Version:** {gstack version} | **Skill:** /{skill}
```

Slug: lowercase, hyphens, max 60 chars (e.g. `browse-js-no-await`). Skip if file already exists. Max 3 reports per session. File inline and continue — do not stop the workflow. Tell user: "Filed gstack field report: {title}"

## Completion Status Protocol

When completing a skill workflow, report status using one of:
- **DONE** — All steps completed successfully. Evidence provided for each claim.
- **DONE_WITH_CONCERNS** — Completed, but with issues the user should know about. List each concern.
- **BLOCKED** — Cannot proceed. State what is blocking and what was tried.
- **NEEDS_CONTEXT** — Missing information required to continue. State exactly what you need.

### Escalation

It is always OK to stop and say "this is too hard for me" or "I am not confident in this result."

Bad work is worse than no work. You will not be penalized for escalating.
- If you have attempted a task 3 times without success, STOP and escalate.
- If you are uncertain about a security-sensitive change, STOP and escalate.
- If the scope of work exceeds what you can verify, STOP and escalate.

Escalation format:
```
STATUS: BLOCKED | NEEDS_CONTEXT
REASON: [1-2 sentences]
ATTEMPTED: [what you tried]
RECOMMENDATION: [what the user should do next]
```

## Telemetry (run last)

After the skill workflow completes (success, error, or abort), log the telemetry event.
Determine the skill name from the `name:` field in this file YAML frontmatter.
Determine the outcome from the workflow result (success if completed normally, error
if it failed, abort if the user interrupted).

**PLAN MODE EXCEPTION — ALWAYS RUN:** This command writes telemetry to
`~/.gstack/analytics/` (user config directory, not project files). The skill
preamble already writes to the same directory — this is the same pattern.
Skipping this command loses session duration and outcome data.

Run this bash:

```bash
_TEL_END=$(date +%s)
_TEL_DUR=$(( _TEL_END - _TEL_START ))
rm -f ~/.gstack/analytics/.pending-"$_SESSION_ID" 2>/dev/null || true
~/.claude/skills/gstack/bin/gstack-telemetry-log \
  --skill "SKILL_NAME" --duration "$_TEL_DUR" --outcome "OUTCOME" \
  --used-browse "USED_BROWSE" --session-id "$_SESSION_ID" 2>/dev/null &
```

Replace `SKILL_NAME` with the actual skill name from frontmatter, `OUTCOME` with
success/error/abort, and `USED_BROWSE` with true/false based on whether `$B` was used.
If you cannot determine the outcome, use "unknown". This runs in the background and
never blocks the user.

## Plan Status Footer

When you are in plan mode and about to call ExitPlanMode:

1. Check if the plan file already has a `## GSTACK REVIEW REPORT` section.
2. If it DOES — skip (a review skill already wrote a richer report).
3. If it does NOT — run this command:

```bash
~/.claude/skills/gstack/bin/gstack-review-read
```

Then write a `## GSTACK REVIEW REPORT` section to the end of the plan file:

- If the output contains review entries (JSONL lines before `---CONFIG---`): format the
  standard report table with runs/status/findings per skill, same format as the review
  skills use.
- If the output is `NO_REVIEWS` or empty: write this placeholder table:

```markdown
## GSTACK REVIEW REPORT

| Review | Trigger | Why | Runs | Status | Findings |
|--------|---------|-----|------|--------|----------|
| CEO Review | `/plan-ceo-review` | Scope & strategy | 0 | — | — |
| Codex Review | `/codex review` | Independent 2nd opinion | 0 | — | — |
| Eng Review | `/plan-eng-review` | Architecture & tests (required) | 0 | — | — |
| Design Review | `/plan-design-review` | UI/UX gaps | 0 | — | — |

**VERDICT:** NO REVIEWS YET — run `/autoplan` for full review pipeline, or individual reviews above.
```

**PLAN MODE EXCEPTION — ALWAYS RUN:** This writes to the plan file, which is the one
file you are allowed to edit in plan mode. The plan file review report is part of the
plan living status.

# /github-deploy — Deploy via GitHub Actions

You are helping the user deploy via GitHub Actions. This skill scaffolds deploy
workflows, sets repository secrets, triggers runs, and monitors results.

This skill does NOT push to a deploy platform directly — it automates the CI/CD
pipeline so that pushing to `main` (or triggering manually) triggers the full
build-and-deploy sequence.

## User-invocable
When the user types `/github-deploy` or says "deploy via github actions", run this skill.

## Instructions

### Step 1: Detect GitHub setup

```bash
# GitHub remote
git remote get-url origin 2>/dev/null | grep -q github && echo "GITHUB_REMOTE:yes" || echo "GITHUB_REMOTE:no"
git remote get-url origin 2>/dev/null || echo "NO_REMOTE"

# Existing workflows
ls .github/workflows/ 2>/dev/null || echo "NO_WORKFLOWS"
for f in .github/workflows/*.yml .github/workflows/*.yaml; do
  [ -f "$f" ] && grep -qiE "deploy|release|production|staging|cd" "$f" 2>/dev/null && echo "DEPLOY_WORKFLOW:$(basename "$f")"
done

# gh CLI
which gh 2>/dev/null && echo "GH_CLI:installed" || echo "GH_CLI:missing"
gh --version 2>/dev/null || true
gh auth status 2>/dev/null && echo "GH_AUTH:yes" || echo "GH_AUTH:no"
```

### Step 2: Authenticate

If `gh` CLI is not installed:

1. Offer to install: `brew install gh` (macOS) or see https://cli.github.com
2. Run `gh auth login` to authenticate with `repo` scope

If `gh` is installed but not authenticated:
```bash
gh auth status
```
Guide the user through `gh auth login`.

If authenticated, show the account and scopes.

### Step 3: Scaffold or update deploy workflow

If no deploy workflow exists in `.github/workflows/`:

1. Ask what the deploy target is:
   - Railway
   - Fly.io
   - Render
   - Vercel (via CLI)
   - Docker (push to registry)
   - npm/pip publish
   - AWS/GCP/Azure
   - Custom script

2. Based on the target, scaffold a `.github/workflows/deploy.yml`. Example templates:

**Railway:**
```yaml
name: Deploy to Railway
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: commandcat/ruffle@v1
        with:
          command: railway up
          railway_token: ${{ secrets.RAILWAY_TOKEN }}
```

**Fly.io:**
```yaml
name: Deploy to Fly.io
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: superfly/flyctl-actions/setup-flyctl@master
      - run: flyctl deploy --remote-only
        env:
          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
```

**Vercel (preview + production):**
```yaml
name: Vercel Production
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm i -g vercel && vercel --prod --token=${{ secrets.VERCEL_TOKEN }}
```

**General-purpose (custom deploy script):**
```yaml
name: Deploy
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run deploy script
        run: ./scripts/deploy.sh
        env:
          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
```

Write the chosen workflow to `.github/workflows/deploy.yml`.
Also offer to create a `preview.yml` workflow for PR previews if applicable.

### Step 4: Configure repository secrets

If `.env` or `.env.example` exists:

1. List the env var keys (never expose values)
2. For each secret needed by the workflow (e.g., `RAILWAY_TOKEN`, `FLY_API_TOKEN`, `VERCEL_TOKEN`):
   - Check if it is already set: `gh secret list | grep SECRET_NAME`
   - If missing, ask the user to provide the value
   - Set it: `gh secret set SECRET_NAME --body "value"`

```bash
# Check existing secrets (names only)
gh secret list

# Set a new secret (interactive — will prompt)
gh secret set RAILWAY_TOKEN

# Set from value (non-interactive — use for automation)
gh secret set FLY_API_TOKEN --body "$FLY_API_TOKEN"
```

**Important:** Never print or log secret values. Use `gh secret list` (names only) not `gh secret view`.

### Step 5: Trigger workflow

**Option A — Git push (auto-trigger):**
```bash
git add .github/workflows/
git commit -m "chore: add deploy workflow"
git push
```
The workflow triggers automatically on push to main (if configured).

**Option B — Manual dispatch:**
```bash
gh workflow run deploy.yml
```

**Option C — Via API (specific ref):**
```bash
gh api /repos/$(gh repo view --json owner,name -q ".owner.login + \"/\" + .name")/actions/workflows/deploy.yml/dispatches \
  -f ref=main
```

### Step 6: Monitor run

```bash
# List recent runs
gh run list --workflow=deploy.yml --limit 5

# Watch a specific run
gh run watch

# Get run details and status
gh run view --log-failed
```

If the run fails, fetch failed step logs:
```bash
gh run view --log-failed 2>/dev/null | tail -50
```

### Step 7: Report

```
GITHUB ACTIONS DEPLOY — {STATUS}
══════════════════════════════════════
Workflow:   {workflow-name}
Trigger:    {push to main / manual dispatch}
Run URL:    {gh run view --json htmlUrl -q ".htmlUrl"}
Status:     {success / failure / in_progress}
Deployed:   {artifact URL or platform URL}

Next steps:
- Monitor at: {run-url}
- View logs: gh run view --log-failed
- Re-run failed: gh run rerun {run-id}
- Update workflow: edit .github/workflows/deploy.yml
```

## Important Rules

- **Never expose secrets.** Use `gh secret list` (names only), never `gh secret view`.
- **Confirm before setting secrets.** Ask the user to provide each secret value — do not guess.
- **workflow_dispatch is safe.** Add it so deploys can be triggered manually.
- **GITHUB_TOKEN is auto-provided.** Use `${{ secrets.GITHUB_TOKEN }}` for git operations
  within the same repo. Do not confuse with personal access tokens.
- **Preview workflows.** Offer to create a separate `preview.yml` for PR-triggered previews.
- **Idempotent workflow runs.** Re-running the same workflow deploys the same code —
  only new pushes to main create new deployment versions.