Skip to main content

CI integration

Pagifier has no CLI by design — CI integration is one authenticated HTTP call, and the platform ships reusable steps so pipelines stay one line.

GitHub Actions

Use the composite action published by your platform team (source: examples/ci/github-action in the Pagifier repository):

- uses: company/pagifier-deploy@v1
with:
config: frontend/pagifier.toml
environment: prod
token: ${{ secrets.PAGIFIER_TOKEN }}

The action validates the configuration first (fast failure with readable errors annotated on the PR), zips the workspace, uploads with ?wait=true, streams build/deploy progress into the job log, fails the job with the build log inline on error, and exports the deployed URL as an output.

Jenkins

The shared-library step (examples/ci/jenkins) has the same flow:

pagifierDeploy(
config: 'frontend/pagifier.toml',
environment: 'prod',
credentialsId: 'pagifier-token',
)

Any other CI

Three commands work everywhere:

# 1. Validate (fail the PR early)
curl --fail-with-body -sS -H "Authorization: Bearer $PAGIFIER_TOKEN" \
--data-binary @pagifier.toml "$PAGIFIER_URL/v1/validate"

# 2. Package
zip -qr app.zip . -x '.git/*' -x 'node_modules/*'

# 3. Deploy and wait
curl --fail-with-body -sS -N -H "Authorization: Bearer $PAGIFIER_TOKEN" \
-F config=@pagifier.toml -F archive=@app.zip \
"$PAGIFIER_URL/v1/applications/$APP/environments/$ENV/deployments?wait=true"

The ?wait=true stream is newline-delimited JSON. The final line carries done: true plus success, the app url, and — on build failure — the tail of the build log, so your pipeline needs no polling loop and no kubectl access to debug a red deploy.

Building in CI instead of in-cluster

If your pipeline already builds the artifact, skip the in-cluster build:

build: false
artifact: dist

Zip the built output and upload as usual. Pagifier still packages it into a content-addressed OCI image, verifies its digest, and (when configured) signs it.

Signed artifacts

Tenants with a signing policy sign the archive in CI and pass the signature:

cosign sign-blob --key cosign.key app.zip > app.sig
curl ... -F signature=@app.sig ...

Unsigned uploads are rejected with 403 signature_required when the policy demands it. See supply-chain security.