Deploy Pipeline

Push-to-main, lane-aware, artifact-driven. Detect what changed, build it once, run e2e against the built artifact, then promote that same artifact through a GitHub Environment. Deployment specifics belong in the target platform or infrastructure repo; this skill owns the workflow contract, trust boundaries, and verification loop.

Pipeline Shape

push to main
  -> detect-changes       (paths-filter or graph-aware affected detection)
  -> verify-<lane>        (lint + typecheck + test + build -> upload artifact)
  -> e2e-<lane>           (download artifact, run e2e against it)
  -> deploy-<env>-<lane>  (environment-scoped credentials + OIDC -> promote artifact)
  -> smoke-<env>-<lane>   (read-only job, no deploy credentials -> hit deployed URL)

Each lane is independent: a web-only change builds and deploys only web, leaving api untouched. Verify and e2e jobs may cancel superseded runs; deploy jobs use a non-cancellable concurrency group per (environment, lane) so two pushes never race the same target.

A separate deploy.yml (workflow_dispatch) may re-deploy an existing artifact or image for a validated ref, environment, and lane. It reuses the same environment, concurrency group, and provenance checks; it does not rebuild arbitrary input code.