fix: deploy only once per main push

[ryota-murakami]

Summary

• remove the pull_request: closed deploy trigger so production deploys run only from main pushes
• serialize production deploy workflow runs with GitHub Actions concurrency
• include run id and attempt in the remote staging directory name

Root Cause

Every merged PR was starting two production deploy workflows at the same time: one for pull_request on the branch head and one for push on the merge commit. Those runs touched the same production deployment directory, rollback directory, and sha-based staging path concurrently, causing the vanished files, non-empty directory cleanup failures, and tar extraction races seen in recent deploy attempts.

Validation

• actionlint .github/workflows/deploy.yml
• git diff --check
• pnpm validate

Summary by CodeRabbit

• Chores
  • Enhanced deployment workflow configuration to improve production environment reliability and deployment consistency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4152ed8b-38af-4af8-b745-ab3c328bc647

📥 Commits

Reviewing files that changed from the base of the PR and between 3afc10d and 2c306c3.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml

---

📝 Walkthrough

Walkthrough

The deployment workflow is updated to improve execution control and artifact staging stability. Pull request triggers are removed in favor of push-only automation; production deployments are serialized by ref without cancellation. The build job filtering logic now explicitly checks actor identity and commit message for dependabot exclusion. Staging directory paths now include workflow run identifiers for uniqueness per execution.

Changes

Deployment Workflow Configuration

Layer / File(s)	Summary
Workflow execution control .github/workflows/deploy.yml	Removed pull_request trigger; added production concurrency serialization by deploy-production-${{ github.ref }} without cancellation; updated build job condition to filter dependabot via actor check and commit message pattern.
Staging directory path uniqueness .github/workflows/deploy.yml	staging_dir path expanded to include github.run_id and github.run_attempt alongside github.sha for improved per-execution uniqueness.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• laststance/nsx#3769: Updates deployment artifact/path naming to scope by run_id/run_attempt instead of sha-only paths, directly overlapping with the staging directory changes.
• laststance/nsx#3776: Refactors staging directory reset/cleanup logic to safely recreate the directory, complementing the updated staging path handling.

Poem

🐰 A workflow refined with careful thought,
No pull requests now—pure push is sought!
Staging paths bloomed with run_id grace,
Concurrency tamed in its rightful place.
Dependabot filtered, artifacts shine bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly addresses the main objective: preventing duplicate deploy runs on main branch pushes by removing pull_request triggers and adding concurrency controls.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deploy-single-main-run

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}