Add Staging Environment

[SailReal]

This PR introduces a remote staging env. When a push is executed against the dev-branch, the output of Hugo will be published via https://github.com/cryptomator/staging.cryptomator.github.io to https://staging.cryptomator.org

http://api.staging.cryptomator.cloud and https://store.staging.cryptomator.org/ is currently still under construction.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The gh-pages GitHub Actions workflow is restructured to run separate Hugo builds for production and staging, outputting public/prod and public/staging. Artifacts prod-site and staging-site are uploaded separately. Deploy is split into deploy-prod (runs on main, deploys prod-site to GitHub Pages) and deploy-staging (runs on develop, downloads staging-site and publishes to cryptomator/staging.cryptomator.org with a CNAME). A staging robots.txt is generated. config/staging/params.yaml points APIs to staging endpoints, and layouts/_default/baseof.html adds a conditional meta robots noindex when environment is "staging".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add Staging Environment #131 — Modifies the same gh-pages workflow, adds staging/prod build and deploy steps, and adjusts staging config and noindex logic.

Suggested reviewers

• tobihagemann

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b1bffff and edfc39b.

📒 Files selected for processing (1)

• .github/workflows/gh-pages.yml (2 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/add-staging-env

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (1)

config/development/params.yaml (1)

1-2: Dev baseURL points to prod domain.

For local previews, prefer http://localhost:1313/. Hugo server will still override, but keeping dev config consistent avoids surprises in CI previews.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 08fd75b and 284c97f.

📒 Files selected for processing (5)

• .github/workflows/gh-pages.yml (1 hunks)
• config/_default/hugo.yaml (0 hunks)
• config/development/params.yaml (1 hunks)
• config/production/params.yaml (1 hunks)
• config/staging/params.yaml (1 hunks)

💤 Files with no reviewable changes (1)

• config/_default/hugo.yaml

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/gh-pages.yml

63-63: input "path" is not defined in action "actions/deploy-pages@v4". available inputs are "artifact_name", "error_count", "preview", "reporting_interval", "timeout", "token"

(action)

---

81-81: the runner of "peaceiris/actions-gh-pages@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (1)

config/staging/params.yaml (1)

4-5: Verify staging endpoints for HTTPS support and path consistency.

• Ensure https://api.staging.cryptomator.cloud is reachable; if so, update baseApiUrl to use HTTPS.
• Confirm whether the store API is served under /api at https://store.staging.cryptomator.org/api; if not, adjust frontend calls to match the actual root path.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

.github/workflows/gh-pages.yml (2)

49-67: Prod Pages deploy wired correctly

Switch to artifact_name is correct; no manual download step. Permissions block is properly scoped.

---

68-88: Fix staging deploy: wrong action version, auth method, repo name, and publish_dir

• Use peaceiris/actions-gh-pages@v4 (v3 is deprecated on current runners).
• GITHUB_TOKEN is invalid for pushing to an external repo; use a PAT via personal_token or an SSH deploy key via deploy_key.
• Repo name should be cryptomator/staging.cryptomator.github.io (per PR description), not …staging.cryptomator.org.
• Current download path nests “public/public”; set download path to “.” and publish_dir to “./public/staging”.
• Rename step for clarity and optionally attach a staging environment with URL.

   deploy-staging:
     if: github.ref == 'refs/heads/develop'
-    name: Deploy Staging to GitHub Pages
+    name: Deploy Staging to external repository
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - name: Download build
+      - name: Download staging artifact
         uses: actions/download-artifact@v4
         with:
           name: staging-site
-          path: ./public
+          path: .
       - name: Deploy to Staging Repository
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
         with:
-          deploy_key: ${{ secrets.GITHUB_TOKEN }}
-          external_repository: cryptomator/staging.cryptomator.org
-          publish_dir: ./public
+          # Choose ONE of the following:
+          # personal_token: ${{ secrets.STAGING_PUBLISH_TOKEN }} # PAT with repo write access
+          # OR
+          # deploy_key: ${{ secrets.STAGING_DEPLOY_KEY }}        # SSH private key; public key added as repo Deploy Key
+          external_repository: cryptomator/staging.cryptomator.github.io
+          publish_dir: ./public/staging
           publish_branch: main
           cname: staging.cryptomator.org
+    environment:
+      name: staging
+      url: https://staging.cryptomator.org

Please confirm:

• The target repo is indeed cryptomator/staging.cryptomator.github.io.
• A secret STAGING_PUBLISH_TOKEN (PAT) or STAGING_DEPLOY_KEY (SSH private key) exists with push rights to that repo.

🧹 Nitpick comments (1)

.github/workflows/gh-pages.yml (1)

38-47: Artifacts: good split; add guardrails

Keep using upload-pages-artifact for prod and upload-artifact for staging. Recommend failing fast if staging output is empty and setting a short retention.

-    - name: Upload Staging artifacts
+    - name: Upload Staging artifacts
       uses: actions/upload-artifact@v4
       with:
         name: staging-site
         path: ./public/staging
+        if-no-files-found: error
+        retention-days: 7

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 284c97f and 3a2a275.

📒 Files selected for processing (1)

• .github/workflows/gh-pages.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/gh-pages.yml

81-81: the runner of "peaceiris/actions-gh-pages@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (1)

.github/workflows/gh-pages.yml (1)

34-37: Dual Hugo builds look correct

Prod uses default production env; staging uses explicit --environment=staging. Good.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/gh-pages.yml (1)

68-87: Fix staging deploy: wrong auth input, outdated action, and path nesting.

• peaceiris/actions-gh-pages@v3 is too old; use @v4.
• deploy_key must be an SSH private key, not GITHUB_TOKEN. For an external repo, use either personal_token (PAT) or a real deploy_key.
• Downloading the artifact into ./public and publishing ./public will likely create a “public/public/staging/…” nesting. Publish the actual staging dir.

Apply this diff:

   deploy-staging:
     if: github.ref == 'refs/heads/develop'
-    name: Deploy Staging to GitHub Pages
+    name: Deploy Staging to external repository
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - name: Download build
+      - name: Download staging artifact
         uses: actions/download-artifact@v4
         with:
           name: staging-site
-          path: ./public
+          path: .
       - name: Deploy to Staging Repository
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@v4
         with:
-          deploy_key: ${{ secrets.GITHUB_TOKEN }}
+          # Choose ONE auth method:
+          # personal_token: ${{ secrets.STAGING_PUBLISH_TOKEN }}
+          # OR
+          # deploy_key: ${{ secrets.STAGING_DEPLOY_KEY }}
           external_repository: cryptomator/staging.cryptomator.org
-          publish_dir: ./public
+          publish_dir: ./public/staging
           publish_branch: main
           cname: staging.cryptomator.org

🧹 Nitpick comments (2)

.github/workflows/gh-pages.yml (2)

34-37: Build both variants only when needed (save minutes per run).

Gate the two Hugo build steps by branch so a push to main doesn’t build staging and vice versa. Mirror the same condition on the corresponding artifact upload steps.

-    - name: Build production
+    - name: Build production
+      if: github.ref == 'refs/heads/main'
       run: hugo --minify --destination public/prod
-    - name: Build staging
+    - name: Build staging
+      if: github.ref == 'refs/heads/develop'
       run: hugo --baseURL=https://staging.cryptomator.org/ --environment=staging --minify --destination public/staging

Also add the same if guards to the prod/staging artifact upload steps.

---

41-47: Artifacts split looks correct; minor hardening.

• Consider setting a short retention for staging artifacts to reduce storage.
• Ensure the step-level if guards match the branch logic so only the relevant artifact is uploaded on each branch.

     - name: Upload Staging artifacts
       uses: actions/upload-artifact@v4
       with:
         name: staging-site
         path: ./public/staging
+        retention-days: 3
+        if-no-files-found: error

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a2a275 and ebb0c1f.

📒 Files selected for processing (2)

• .github/workflows/gh-pages.yml (2 hunks)
• config/staging/params.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• config/staging/params.yaml

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/gh-pages.yml

81-81: the runner of "peaceiris/actions-gh-pages@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (2)

.github/workflows/gh-pages.yml (2)

49-67: Prod deploy via Pages artifact is wired correctly.

Using actions/deploy-pages@v4 with artifact_name: prod-site and proper environment config looks good.

---

84-84: Verify external_repository name matches the PR objective.

PR text says the staging repo is “cryptomator/staging.cryptomator.github.io”, but the workflow targets “cryptomator/staging.cryptomator.org”. Confirm which repository is authoritative and update external_repository accordingly.

Would you like me to generate a follow-up patch once you confirm the correct repo name?

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

config/staging/params.yaml (1)

1-3: Resolved earlier issue: baseURL removed from params.yaml.

The prior review about moving baseURL out of params.yaml is now correctly addressed.

🧹 Nitpick comments (1)

config/staging/params.yaml (1)

6-6: Confirm Umami website ID is staging-only (avoid polluting prod analytics).

If this ID is shared with prod, consider a dedicated staging siteId or disable analytics in staging.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebb0c1f and 6bf7d2f.

📒 Files selected for processing (1)

• config/staging/params.yaml (1 hunks)

🔇 Additional comments (3)

config/staging/params.yaml (3)

9-19: Paddle: sandbox is enabled—verify product/vendor/plan IDs belong to the sandbox account.

Numbers often differ between sandbox and production. Mismatch will break checkout in staging.

---

21-25: Stripe: test key present—good for staging; ensure no secret keys are committed and plans map to test mode.

Looks fine; just verifying that any plan/product IDs referenced by the frontend are test-mode counterparts.

---

2-3: Normalize staging API URLs in config/staging/params.yaml

• Confirm the correct scheme for baseApiUrl—the PR description mentions http://api.staging.cryptomator.cloud, but the config uses https://api.staging.cryptomator.cloud; mismatches here can cause runtime failures.
• Standardize trailing slashes to avoid double-slash or missing-slash issues on URL joins. For example, remove the slash on storeApiUrl:

-baseApiUrl: https://api.staging.cryptomator.cloud
-storeApiUrl: https://store.staging.cryptomator.org/
+baseApiUrl: https://api.staging.cryptomator.cloud
+storeApiUrl: https://store.staging.cryptomator.org

DNS lookup tests for these endpoints failed in the sandbox—please verify connectivity and correct URL formatting in your staging environment.

[overheadhunter]

Maybe add a robots.txt that disallows indexing?

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/gh-pages.yml (1)

70-90: Staging deploy will fail: wrong auth, outdated action, and wrong publish_dir/path pairing.

• peaceiris v3 is EOL on GH Actions runners; use v4.
• deploy_key expects an SSH private key, not GITHUB_TOKEN. For external_repository, use personal_token (PAT) or a real deploy_key.
• You download the artifact to ./public, but publish_dir is ./public; the artifact contains a staging directory, so Pages root will be nested. Publish ./public/staging or download to . accordingly.

Apply:

-  deploy-staging:
-    if: github.ref == 'refs/heads/develop'
-    name: Deploy Staging to GitHub Pages
+  deploy-staging:
+    if: github.ref == 'refs/heads/develop' && github.repository == 'cryptomator/cryptomator.github.io'
+    name: Deploy Staging to external repository
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - name: Download build
+      - name: Download staging artifact
         uses: actions/download-artifact@v4
         with:
           name: staging-site
-          path: ./public
-      - name: Deploy to Staging Repository
-        uses: peaceiris/actions-gh-pages@v3
+          path: .
+      - name: Deploy to Staging Repository
+        uses: peaceiris/actions-gh-pages@v4
         with:
-          deploy_key: ${{ secrets.GITHUB_TOKEN }}
+          # Use one of the following auth methods (ensure the secret exists with push rights):
+          personal_token: ${{ secrets.STAGING_PUBLISH_TOKEN }}
+          # deploy_key: ${{ secrets.STAGING_DEPLOY_KEY }}
           external_repository: cryptomator/staging.cryptomator.org
-          publish_dir: ./public
+          publish_dir: ./public/staging
           publish_branch: main
           cname: staging.cryptomator.org

Follow-up:

• Create a fine-grained PAT with repo:write for cryptomator/staging.cryptomator.org and store as STAGING_PUBLISH_TOKEN, or set up an SSH deploy key and store the private key as STAGING_DEPLOY_KEY.

🧹 Nitpick comments (1)

.github/workflows/gh-pages.yml (1)

34-49: Avoid building both targets on every push; condition the build/upload steps by branch.

This saves minutes per run and artifact storage. Apply per-step if guards so each branch only builds/uploads what it needs.

-    - name: Build production
-      run: hugo --minify --destination public/prod
+    - name: Build production
+      if: github.ref == 'refs/heads/main'
+      run: hugo --minify --destination public/prod
-    - name: Build staging
-      run: hugo --baseURL=https://staging.cryptomator.org/ --environment=staging --minify --destination public/staging
+    - name: Build staging
+      if: github.ref == 'refs/heads/develop'
+      run: hugo --baseURL=https://staging.cryptomator.org/ --environment=staging --minify --destination public/staging
-    - name: Add robots.txt for staging
-      run: 'echo -e "User-agent: *\nDisallow: /" > public/staging/robots.txt'
+    - name: Add robots.txt for staging
+      if: github.ref == 'refs/heads/develop'
+      run: 'echo -e "User-agent: *\nDisallow: /" > public/staging/robots.txt'
-    - name: Upload Prod Pages artifact
+    - name: Upload Prod Pages artifact
+      if: github.ref == 'refs/heads/main'
       uses: actions/upload-pages-artifact@v3
       with:
         name: prod-site
         path: ./public/prod
-    - name: Upload Staging artifacts
+    - name: Upload Staging artifact
+      if: github.ref == 'refs/heads/develop'
       uses: actions/upload-artifact@v4
       with:
         name: staging-site
         path: ./public/staging

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0957ae5 and df141fd.

📒 Files selected for processing (1)

• .github/workflows/gh-pages.yml (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: SailReal
PR: cryptomator/cryptomator.github.io#131
File: config/production/params.yaml:0-0
Timestamp: 2025-09-09T07:26:16.265Z
Learning: In the cryptomator.github.io repository, production configuration fixes (like HTTPS API URLs) are handled in separate commits/PRs from staging environment setup, maintaining clear scope separation between different types of changes.

🪛 actionlint (1.7.7)

.github/workflows/gh-pages.yml

83-83: the runner of "peaceiris/actions-gh-pages@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (2)

.github/workflows/gh-pages.yml (2)

38-39: Robots for staging: good call.

Disallowing indexing in staging matches reviewer feedback and avoids accidental SEO noise.

---

51-66: Prod deploy wiring looks correct.

Good use of deploy-pages with artifact_name and proper Pages permissions/env.

[tobihagemann]

A robots.txt file [...] is not a mechanism for keeping a web page out of Google. To keep a web page out of Google, block indexing with noindex or password-protect the page.

https://developers.google.com/search/docs/crawling-indexing/robots/intro

Probably, the easiest would be to set this for staging:

<meta name="robots" content="noindex">

Edit: But we can keep the robots.txt anyway, shouldn't hurt.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between df141fd and b1bffff.

📒 Files selected for processing (1)

• layouts/_default/baseof.html (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: SailReal
PR: cryptomator/cryptomator.github.io#131
File: config/production/params.yaml:0-0
Timestamp: 2025-09-09T07:26:16.276Z
Learning: In the cryptomator.github.io repository, production configuration fixes (like HTTPS API URLs) are handled in separate commits/PRs from staging environment setup, maintaining clear scope separation between different types of changes.