GitHub Action

Rush Delivery can be used as a GitHub Action or as a raw Dagger module. The GitHub Action is a thin adapter over the module's Dagger functions, so release and validation behavior stay identical between action and raw CLI usage.

Pull Request Validation

Use entrypoint: validate for PR CI. The action defaults to Git source mode, uses the current GitHub repository and ref, writes GITHUB_TOKEN into the deploy env file for source authentication, and forwards the pull request base SHA from the GitHub event. Use read-only provider policies in PRs so existing toolchain images and Rush cache can be reused without granting publish access.

name: ci-validate

on:
  pull_request:

permissions:
  contents: read
  packages: read

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: BootstrapLaboratory/rush-delivery@v0.3.4
        with:
          entrypoint: validate
          toolchain-image-provider: github
          toolchain-image-policy: pull-or-build
          rush-cache-provider: github
          rush-cache-policy: pull-or-build

pull-or-build pulls the provider artifact when it exists. If it is missing, validation builds locally inside the current Dagger run and does not publish to GHCR.

To validate unpushed local-copy source from a checked-out runner workspace, override the source mode and pass repo:

steps:
  - uses: actions/checkout@v5
    with:
      fetch-depth: 0

  - uses: BootstrapLaboratory/rush-delivery@v0.3.4
    with:
      entrypoint: validate
      repo: .
      source-mode: local_copy

Release Workflow

Provider authentication stays in the caller workflow. Pass any generated files to Rush Delivery through runtime-file-map, and pass deploy environment values through deploy-env.

steps:
  - id: auth
    name: Authenticate to Google Cloud
    if: inputs.force_targets_json != '["webapp"]'
    uses: google-github-actions/auth@v3
    with:
      workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
      service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}

  - name: Rush Delivery
    uses: BootstrapLaboratory/rush-delivery@v0.3.4
    with:
      force-targets-json: ${{ inputs.force_targets_json || '[]' }}
      deploy-tag-prefix: ${{ env.DEPLOY_TAG_PREFIX }}
      artifact-prefix: ${{ env.DEPLOY_ARTIFACT_PREFIX }}
      environment: prod
      dry-run: "false"
      toolchain-image-provider: ${{ env.TOOLCHAIN_IMAGE_PROVIDER }}
      toolchain-image-policy: ${{ env.TOOLCHAIN_IMAGE_POLICY }}
      rush-cache-provider: ${{ env.RUSH_CACHE_PROVIDER }}
      rush-cache-policy: ${{ env.RUSH_CACHE_POLICY }}
      runtime-file-map: |
        ${{ steps.auth.outputs.credentials_file_path }}=>gcp-credentials.json
      deploy-env: |
        GCP_PROJECT_ID=${{ vars.GCP_PROJECT_ID }}
        GCP_ARTIFACT_REGISTRY_REPOSITORY=${{ vars.GCP_ARTIFACT_REGISTRY_REPOSITORY }}
        CLOUD_RUN_SERVICE=${{ vars.CLOUD_RUN_SERVICE }}
        CLOUD_RUN_RUNTIME_SERVICE_ACCOUNT=${{ vars.CLOUD_RUN_RUNTIME_SERVICE_ACCOUNT }}
        CLOUD_RUN_CORS_ORIGIN=${{ vars.CLOUD_RUN_CORS_ORIGIN }}
        CLOUD_RUN_REGION=${{ env.CLOUD_RUN_REGION }}
        CLOUDFLARE_API_TOKEN=${{ secrets.CLOUDFLARE_API_TOKEN }}
        CLOUDFLARE_ACCOUNT_ID=${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
        CLOUDFLARE_PAGES_PROJECT_NAME=${{ vars.CLOUDFLARE_PAGES_PROJECT_NAME }}
        WEBAPP_VITE_GRAPHQL_HTTP=${{ vars.WEBAPP_VITE_GRAPHQL_HTTP }}
        WEBAPP_VITE_GRAPHQL_WS=${{ vars.WEBAPP_VITE_GRAPHQL_WS }}
        WEBAPP_URL=https://${{ vars.CLOUDFLARE_PAGES_PROJECT_NAME }}.pages.dev

The action appends GITHUB_ACTOR, GITHUB_REPOSITORY, GITHUB_API_URL, and GITHUB_TOKEN to the generated deploy env file by default. Set include-github-env: "false" if you want to provide those values yourself.

Runtime Files

runtime-file-map is a multiline list of SOURCE=>DEST entries. SOURCE is a file path on the GitHub runner, and DEST is a safe relative path inside the runtime files bundle passed to Dagger.

Empty SOURCE values are skipped. This supports conditional provider auth steps where an output is intentionally blank for some target selections.

runtime-file-map: |
  ${{ steps.auth.outputs.credentials_file_path }}=>gcp-credentials.json
  ${{ steps.signing.outputs.key_path }}=>signing/key.json

Deploy target metadata can mount those files with:

runtime:
  env:
    GOOGLE_APPLICATION_CREDENTIALS: /runtime-files/gcp-credentials.json
  file_mounts:
    - source: gcp-credentials.json

Raw Dagger Mode

The action mode does not replace raw Dagger usage. Local runs, other CI providers, and lower-level debugging can still call the module directly:

dagger -m github.com/BootstrapLaboratory/rush-delivery@v0.3.4 call workflow \
  --git-sha="$GITHUB_SHA" \
  --source-mode=git \
  --source-repository-url="$SOURCE_REPOSITORY_URL" \
  --source-ref="$SOURCE_REF" \
  --source-auth-token-env=GITHUB_TOKEN

Pull Request Validation​

Release Workflow​

Runtime Files​

Raw Dagger Mode​

Pull Request Validation

Release Workflow

Runtime Files

Raw Dagger Mode