From c115af6c2485ce4a7d218a5bde410a4aebda371d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Tue, 17 Mar 2026 16:25:22 -0700
Subject: [PATCH 1/3] feat: deploy only affected hosts based on changed paths

Add a changes detection job using dorny/paths-filter to build a dynamic
deploy matrix. Host-specific changes (hosts/{name}/**) only deploy that
host, while shared path changes (modules, home, lib, overlays, packages,
flake files) deploy all hosts. workflow_dispatch deploys all hosts.

Also adds GitHub Environments for per-host deployment status tracking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 77 ++++++++++++++++++++++++++++++------
 1 file changed, 65 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f27703b0..0a942682 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,25 +8,78 @@ on:
   workflow_dispatch:
 
 jobs:
-  deploy:
+  changes:
     if: >-
       github.event_name == 'workflow_dispatch' ||
       github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - uses: dorny/paths-filter@v3
+        id: filter
+        if: github.event_name != 'workflow_dispatch'
+        with:
+          filters: |
+            glyph:
+              - 'hosts/glyph/**'
+            spore:
+              - 'hosts/spore/**'
+            zeta:
+              - 'hosts/zeta/**'
+            shared:
+              - 'modules/**'
+              - 'home/**'
+              - 'lib/**'
+              - 'overlays/**'
+              - 'packages/**'
+              - 'flake.nix'
+              - 'flake.lock'
+
+      - id: set-matrix
+        run: |
+          all='[
+            {"host":"glyph","system":"x86_64-linux","runner":"ubuntu-latest"},
+            {"host":"spore","system":"x86_64-linux","runner":"ubuntu-latest"},
+            {"host":"zeta","system":"aarch64-linux","runner":"ubuntu-24.04-arm"}
+          ]'
+
+          # Deploy all hosts on workflow_dispatch or shared changes
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ steps.filter.outputs.shared }}" == "true" ]]; then
+            echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          selected="[]"
+          if [[ "${{ steps.filter.outputs.glyph }}" == "true" ]]; then
+            selected=$(echo "$selected" | jq '. + [{"host":"glyph","system":"x86_64-linux","runner":"ubuntu-latest"}]')
+          fi
+          if [[ "${{ steps.filter.outputs.spore }}" == "true" ]]; then
+            selected=$(echo "$selected" | jq '. + [{"host":"spore","system":"x86_64-linux","runner":"ubuntu-latest"}]')
+          fi
+          if [[ "${{ steps.filter.outputs.zeta }}" == "true" ]]; then
+            selected=$(echo "$selected" | jq '. + [{"host":"zeta","system":"aarch64-linux","runner":"ubuntu-24.04-arm"}]')
+          fi
+
+          # Fallback: deploy all if no specific hosts matched
+          if [[ "$selected" == "[]" ]]; then
+            echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT"
+          else
+            echo "matrix={\"include\":$selected}" >> "$GITHUB_OUTPUT"
+          fi
+
+  deploy:
+    needs: changes
     concurrency:
       group: deploy-${{ matrix.host }}
       cancel-in-progress: false
+    environment: ${{ matrix.host }}
     strategy:
-      matrix:
-        include:
-          - host: glyph
-            system: x86_64-linux
-            runner: ubuntu-latest
-          - host: spore
-            system: x86_64-linux
-            runner: ubuntu-latest
-          - host: zeta
-            system: aarch64-linux
-            runner: ubuntu-24.04-arm
+      matrix: ${{ fromJson(needs.changes.outputs.matrix) }}
     runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@v4

From 9d5568215d3e0c9160450e173287d7e4f84cda96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Tue, 17 Mar 2026 16:26:14 -0700
Subject: [PATCH 2/3] feat: add host selection input to workflow_dispatch

Adds a dropdown input to the manual dispatch trigger allowing deployment
of a specific host (glyph, spore, zeta) or all hosts. Defaults to all.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 0a942682..c448293c 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,6 +6,17 @@ on:
     types: [completed]
     branches: [main]
   workflow_dispatch:
+    inputs:
+      hosts:
+        description: 'Hosts to deploy'
+        required: false
+        default: 'all'
+        type: choice
+        options:
+          - all
+          - glyph
+          - spore
+          - zeta
 
 jobs:
   changes:
@@ -48,8 +59,19 @@ jobs:
             {"host":"zeta","system":"aarch64-linux","runner":"ubuntu-24.04-arm"}
           ]'
 
-          # Deploy all hosts on workflow_dispatch or shared changes
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ steps.filter.outputs.shared }}" == "true" ]]; then
+          # workflow_dispatch: use selected host or all
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            host="${{ inputs.hosts }}"
+            if [[ "$host" == "all" ]]; then
+              echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT"
+            else
+              echo "matrix={\"include\":$(echo "$all" | jq --arg h "$host" '[.[] | select(.host == $h)]')}" >> "$GITHUB_OUTPUT"
+            fi
+            exit 0
+          fi
+
+          # Shared path changes: deploy all hosts
+          if [[ "${{ steps.filter.outputs.shared }}" == "true" ]]; then
             echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT"
             exit 0
           fi

From 71e7f85b4272f95cb3593f179acf57416a9db743 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Tue, 17 Mar 2026 16:27:24 -0700
Subject: [PATCH 3/3] docs: add CI and deployment section to README

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 42d8b703..2d27cc0c 100644
--- a/README.md
+++ b/README.md
@@ -25,4 +25,27 @@ nixos-rebuild switch --flake .#spore --target-host root@spore --build-host local
 
 </details>
 
+<details>
+
+<summary>CI and deployments</summary>
+
+CI builds all host configurations on every push and PR. On pushes to `main`, the deploy workflow runs automatically after CI succeeds, deploying only the hosts affected by the change:
+
+- Changes under `hosts/{name}/` deploy only that host
+- Changes to shared paths (`modules/`, `home/`, `lib/`, `overlays/`, `packages/`, `flake.nix`, `flake.lock`) deploy all hosts
+
+Deploy all hosts manually:
+```shell
+gh workflow run Deploy
+```
+
+Deploy a specific host:
+```shell
+gh workflow run Deploy -f hosts=glyph
+gh workflow run Deploy -f hosts=spore
+gh workflow run Deploy -f hosts=zeta
+```
+
+</details>
+
 [nix-darwin-repo]: https://github.com/nix-darwin/nix-darwin