Hive Hive
Sign in

feat(infra): notify Slack when previews finish deploying

GitHub issue · Closed

Metadata
Source
tuist/tuist #11440
Updated
Jun 24, 2026
Domains
Atlas
Details

What changed

This wires the Slack-requested preview flow all the way through to a final Slack update.

  • Exposes github_actions_token from the TUIST_OPS_BOT 1Password item as GITHUB_ACTIONS_TOKEN in the tuist-ops runtime secret.
  • Adds a preview_id input and stable run name to preview-deploy.yml, so tuist-ops can find the workflow run it just dispatched.
  • Stores workflow run metadata on preview rows and adds a preview_monitor Oban queue with a worker that polls GitHub Actions.
  • Updates the original Slack preview card when deployment succeeds, including the live preview link and the GitHub Actions run link. Failed workflow runs update the card with the failure state.
  • Covers the dispatch, run lookup, monitor worker, and preview enqueue path with focused tests.

Why

The /preview Slack form was reaching tuist-ops, but the GitHub workflow dispatch failed with 401 Bad credentials. Even after fixing that token path, the Slack message would still stay in the provisioning state because GitHub workflow dispatch does not hand back a run identifier.

Root cause

tuist-ops already read GITHUB_ACTIONS_TOKEN, but the Helm chart did not project any 1Password field into that environment variable. The app also had no durable way to connect a Slack preview request to the asynchronously created GitHub Actions run.

Approach

The GitHub token stays with tuist-ops, and Slack credentials stay out of GitHub Actions. tuist-ops tags each dispatched workflow with the preview row id, then a background worker polls the workflow run list by that stable run name and updates the existing Slack card when the run completes.

This keeps the completion notification close to the original Slack request and avoids introducing another Slack secret into the GitHub repository environment.

Impact

After this deploy, the github_actions_token field you added to TUIST_OPS_BOT will be synced into the running pod, so /preview can dispatch preview-deploy.yml. Slack-requested previews will then move from requested to deployed or failed in the same Slack card.

The database migration adds nullable workflow metadata columns to the internal previews table only.

Validation

  • helm template tuist-ops infra/helm/tuist-ops --set image.tag=test
  • ruby -e 'require "yaml"; YAML.load_file(".github/workflows/preview-deploy.yml"); puts "workflow yaml ok"'
  • mix test test/previews_test.exs test/previews/github_actions_client_test.exs test/previews/workers/monitor_workflow_worker_test.exs test/tuist_ops_web/controllers/slack_controller_test.exs test/previews/slack_blocks_test.exs
  • mix test
  • git diff --check
Comments

No GitHub comments yet.