vellum-ai · dvargasfuertes · Feb 8, 2026 · Feb 7, 2026 · Feb 7, 2026 · Feb 8, 2026
diff --git a/.github/workflows/ci-web.yml b/.github/workflows/ci-web.yml
@@ -0,0 +1,80 @@
+name: Deploy Web
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'web/**'
+      - '.github/workflows/ci-web.yml'
+
+jobs:
+  deploy:
+    name: Build & Deploy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    defaults:
+      run:
+        working-directory: web
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Type check
+        run: npx tsc --noEmit
+
+      - name: Build
+        run: npm run build
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/620844561845/locations/global/workloadIdentityPools/github-actions/providers/github-provider
+          service_account: github-actions@vellum-ai-prod.iam.gserviceaccount.com
+
+      - name: Setup gcloud CLI
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Configure Docker for GCR
+        run: gcloud auth configure-docker
+
+      - name: Build Docker image
+        run: |
+          docker build -t gcr.io/vellum-ai-prod/vellum-assistant:${{ github.sha }} .
+          docker tag gcr.io/vellum-ai-prod/vellum-assistant:${{ github.sha }} gcr.io/vellum-ai-prod/vellum-assistant:latest
+
+      - name: Push Docker image
+        run: |
+          docker push gcr.io/vellum-ai-prod/vellum-assistant:${{ github.sha }}
+          docker push gcr.io/vellum-ai-prod/vellum-assistant:latest
+
+      - name: Get GKE credentials
+        run: |
+          gcloud container clusters get-credentials ${{ vars.GKE_CLUSTER_NAME }} \
+            --region us-central1 \
+            --project vellum-ai-prod
+
+      - name: Deploy to Kubernetes
+        run: |
+          kubectl set image deployment/vellum-assistant \
+            web=gcr.io/vellum-ai-prod/vellum-assistant:${{ github.sha }} \
+            -n vellum-assistant
+          kubectl rollout status deployment/vellum-assistant -n vellum-assistant
diff --git a/.github/workflows/pr-platform.yml b/.github/workflows/pr-platform.yml
@@ -0,0 +1,58 @@
+name: PR Platform Checks
+
+on:
+  pull_request:
+    paths:
+      - 'platform/**'
+      - '.github/workflows/pr-platform.yml'
+
+env:
+  TF_WORKING_DIR: platform/terraform
+
+jobs:
+  terraform-plan:
+    name: Terraform Plan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+    defaults:
+      run:
+        working-directory: ${{ env.TF_WORKING_DIR }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.7.0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/620844561845/locations/global/workloadIdentityPools/github-actions/providers/github-provider
+          service_account: github-actions@vellum-ai-prod.iam.gserviceaccount.com
+
+      - name: Setup gcloud CLI
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Format Check
+        run: terraform fmt -check
+
+      - name: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        run: terraform plan -no-color
+        env:
+          TF_VAR_project_id: vellum-ai-prod
+          TF_VAR_region: us-central1
+          TF_VAR_cluster_name: vellum-ai-prod
+          TF_VAR_database_url: ${{ secrets.DATABASE_URL }}
+          TF_VAR_anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/pr-web.yml b/.github/workflows/pr-web.yml
@@ -0,0 +1,35 @@
+name: PR Web Checks
+
+on:
+  pull_request:
+    paths:
+      - 'web/**'
+      - '.github/workflows/pr-web.yml'
+
+jobs:
+  checks:
+    name: Lint & Type Check
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: web
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: web/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Type check
+        run: npx tsc --noEmit
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
@@ -14,6 +14,9 @@ jobs:
   terraform:
     name: Terraform Apply
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     defaults:
       run:
         working-directory: ${{ env.TF_WORKING_DIR }}
@@ -30,16 +33,17 @@ jobs:
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_SA_KEY }}
+          workload_identity_provider: projects/620844561845/locations/global/workloadIdentityPools/github-actions/providers/github-provider
+          service_account: github-actions@vellum-ai-prod.iam.gserviceaccount.com
 
       - name: Setup gcloud CLI
         uses: google-github-actions/setup-gcloud@v2
 
       - name: Get GKE credentials
         run: |
           gcloud container clusters get-credentials ${{ vars.GKE_CLUSTER_NAME }} \
-            --region ${{ vars.GCP_REGION }} \
-            --project ${{ vars.GCP_PROJECT_ID }}
+            --region us-central1 \
+            --project vellum-ai-prod
 
       - name: Terraform Init
         run: terraform init
@@ -51,17 +55,15 @@ jobs:
         id: plan
         run: terraform plan -no-color -out=tfplan
         env:
-          TF_VAR_project_id: ${{ vars.GCP_PROJECT_ID }}
-          TF_VAR_region: ${{ vars.GCP_REGION }}
+          TF_VAR_region: us-central1
           TF_VAR_cluster_name: ${{ vars.GKE_CLUSTER_NAME }}
           TF_VAR_database_url: ${{ secrets.DATABASE_URL }}
           TF_VAR_anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
       - name: Terraform Apply
         run: terraform apply -auto-approve tfplan
         env:
-          TF_VAR_project_id: ${{ vars.GCP_PROJECT_ID }}
-          TF_VAR_region: ${{ vars.GCP_REGION }}
+          TF_VAR_region: us-central1
           TF_VAR_cluster_name: ${{ vars.GKE_CLUSTER_NAME }}
           TF_VAR_database_url: ${{ secrets.DATABASE_URL }}
           TF_VAR_anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}