Skip to content

chore(nimbus): migrate deploy jobs from CircleCI to GHA#15180

Merged
jaredlockhart merged 1 commit intomainfrom
15179
Apr 9, 2026
Merged

chore(nimbus): migrate deploy jobs from CircleCI to GHA#15180
jaredlockhart merged 1 commit intomainfrom
15179

Conversation

@jaredlockhart
Copy link
Copy Markdown
Collaborator

@jaredlockhart jaredlockhart commented Apr 8, 2026
edited
Loading

Because

  • The deploy_experimenter, deploy_cirrus, and deploy_schemas CircleCI
    jobs need to move to GHA as part of EXP-6320
  • deploy_experimenter is already handled by experimenter-mozcloud-publish.yaml
  • Cirrus production already pulls from GAR (confirmed in webservices-infra
    Helm values), making Docker Hub pushes redundant

This commit

  • Adds deploy-cirrus.yml GHA workflow that builds and pushes to GAR only
    (drops Docker Hub)
  • Adds deploy-schemas.yml GHA workflow that publishes to PyPI and NPM
    on schema version changes
  • Removes all three deploy jobs and their workflow references from
    CircleCI config

Fixes #15179

@jaredlockhart
chore(nimbus): migrate deploy jobs from CircleCI to GHA
40ac5cc 
Because

* The deploy_experimenter, deploy_cirrus, and deploy_schemas CircleCI
  jobs need to move to GHA as part of EXP-6320
* deploy_experimenter is already handled by experimenter-mozcloud-publish.yaml
* Cirrus production already pulls from GAR, making Docker Hub pushes
  redundant

This commit

* Adds deploy-cirrus.yml GHA workflow that builds and pushes to GAR only
  (drops Docker Hub)
* Adds deploy-schemas.yml GHA workflow that publishes to PyPI and NPM
  on schema version changes
* Removes all three deploy jobs and their workflow references from
  CircleCI config

Fixes #15179
@jaredlockhart
Copy link
Copy Markdown
Collaborator Author

jaredlockhart commented Apr 8, 2026
edited
Loading

Secrets needed before merging (schemas deploy):

  • TWINE_USERNAME — PyPI username
  • TWINE_PASSWORD — PyPI password/token
  • NPM_TOKEN — NPM publish token

Cirrus GAR auth: No new secrets needed. The mozilla-it/deploy-actions/docker-push action constructs the service account as artifact-writer@{project_id}.iam.gserviceaccount.com using the shared WIF pool. CircleCI used the same shared pool (gcpv2-workload-identity context) for both experimenter and cirrus deploys, so the GHA equivalent should work the same way — just project_id: moz-fx-cirrus-prod instead of moz-fx-experimenter-prod-6cd5.

yashikakhurana
yashikakhurana approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@yashikakhurana yashikakhurana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets do it 🚀 , Thanks @jaredlockhart

@jaredlockhart jaredlockhart added this pull request to the merge queue Apr 9, 2026
Merged via the queue into main with commit 26f7fb5 Apr 9, 2026
15 checks passed
@jaredlockhart jaredlockhart deleted the 15179 branch April 9, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yashikakhurana yashikakhurana yashikakhurana approved these changes

@freshstrangemusic freshstrangemusic Awaiting requested review from freshstrangemusic freshstrangemusic is a code owner

@mikewilli mikewilli Awaiting requested review from mikewilli mikewilli is a code owner

@relud relud Awaiting requested review from relud

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate all deploy jobs to GHA (Experimenter, Cirrus, Schemas)

2 participants

@jaredlockhart @yashikakhurana