Deploy Admin
Caution
Deployment mistakes are irreversible. Pushed tags, published releases, triggered workflows — none undo cleanly. deploy-admin classifies every operation by safety level and requires explicit confirmation before touching anything at SERVICE, DELETE, or PRIVILEGE tier.
Tip
Run /brewtools:deploy setup first. The skill writes CLAUDE.local.md with your GitHub config, workflow inventory, and server targets. The agent reads that file automatically on every task start.
Quick reference
| Field | Value |
|---|---|
| Agent name | deploy-admin |
| Model | opus |
| Tools | Read, Write, Edit, Bash, Glob, Grep, AskUserQuestion, WebFetch, WebSearch |
| Triggers | ”deploy”, “github actions”, “workflow”, “release”, “ci cd”, “version bump”, “publish” |
| Safety gate | Confirms before MODIFY / SERVICE / DELETE / PRIVILEGE operations |
When to use
- Release a new version — bump semver, generate changelog, commit, tag, push, verify CI green
- Create or update a workflow — write workflow YAML, add matrix, configure caching, set up GHCR push
- Monitor CI — check why a run failed, fetch step logs, rerun failed jobs
- Publish a draft release — review notes, attach assets, flip draft to published
- Deploy to VPS — dispatch workflow, watch run live, SSH health-check the server after deploy
- Manage secrets — list names (never values), set from file, clean up stale entries
Examples
# Release a new version with full pipeline
"Release v3.6.0 with changelog from recent commits"
# Investigate a failed run
"Check why the last docs workflow failed and suggest a fix"
# Trigger a deploy and verify it landed
"Trigger deploy-docs workflow and verify health on the VPS"Flow
- Read context
Reads
CLAUDE.local.mdfor GitHub config, workflow inventory, server targets, and secret names. Verifiesgh auth status— wrong user stops everything before touching any resource. - Classify operations
Every planned command is assigned a safety level: READ (free), CREATE (free), MODIFY (confirm), SERVICE (confirm), DELETE (always confirm), PRIVILEGE (always confirm). Compound pipelines inherit the highest level of any constituent command.
- Confirm before mutating
MODIFY and above: describes exactly what will happen, then calls
AskUserQuestion. No mutation runs without an affirmative answer. Emergency stop fires immediately if the wrong repo, branch, or secret exposure is detected. - Execute operations
Runs
ghCLI commands in order — workflow dispatch, release create, secret set,git push —tags, Docker build + push to GHCR. Each command result is captured for the final report. - Verify
Checks CI run status (
gh run list -L 3), release state, and deployment health via SSH. For plugin releases, also verifies the plugin cache updated correctly. - Report
Outputs a structured table: repository, task, operations executed, highest safety level reached, and per-check verification results. No silent failures.
Internals — safety levels and release pipeline
Safety classification
| Level | Gate | Examples |
|---|---|---|
| READ | free | gh run list/view, gh workflow list, gh release view, gh secret list |
| CREATE | free | Create workflow YAML, gh release create --draft |
| MODIFY | confirm | Edit workflow, gh secret set, git commit, git tag |
| SERVICE | confirm | gh workflow run, gh run rerun, git push, git push --tags |
| DELETE | always confirm | gh release delete, gh run cancel, remove workflow file |
| PRIVILEGE | always confirm | gh secret delete, branch protection changes, gh workflow disable |
Pipelines (cmd1 | cmd2) and curl | bash patterns inherit PRIVILEGE regardless of base level.
Release pipeline steps
| Step | Command | Level |
|---|---|---|
| 1. Bump version | bash .claude/scripts/bump-version.sh X.Y.Z | MODIFY |
| 2. Changelog | git log --oneline vPREV..HEAD → update RELEASE-NOTES.md | MODIFY |
| 3. Commit | git commit -m "vX.Y.Z: summary" | MODIFY |
| 4. Tag | git tag vX.Y.Z | MODIFY |
| 5. Push | git push && git push --tags | SERVICE |
| 6. Update plugins | bash .claude/scripts/update-plugin.sh | SERVICE |
| 7. Verify CI | gh run list -L 3 | READ |
| 8. Verify cache | grep '"matcher"' ~/.claude/plugins/cache/.../hooks.json | READ |
RELEASE-NOTES.md format
## vX.Y.Z (YYYY-MM-DD)
> Docs: [page](https://doc-claude.brewcode.app/plugin/path/) | [page2](...)
### brewcode
#### Fixed / Changed / Added
- **category:** descriptionThe > Docs: line must list pages for every affected skill, agent, or hook. URL pattern: https://doc-claude.brewcode.app/{plugin}/{skills|agents}/{name}/
Docker / GHCR
# Build for linux/amd64 and push
docker build --platform linux/amd64 -t ghcr.io/OWNER/IMAGE:TAG .
docker push ghcr.io/OWNER/IMAGE:TAG
# Multi-tag (version + latest)
docker build -t ghcr.io/OWNER/IMAGE:TAG -t ghcr.io/OWNER/IMAGE:latest .
docker push ghcr.io/OWNER/IMAGE:TAG
docker push ghcr.io/OWNER/IMAGE:latestSSH deploy
# Health check
ssh -o ConnectTimeout=10 USER@HOST 'uptime && df -h && docker ps'
# Pull and restart
ssh USER@HOST 'cd /opt/app && docker compose pull && docker compose up -d'Deploy skill
The skill that configures GitHub integration and writes CLAUDE.local.md for this agent to read.
ssh-admin agent
Companion agent for VPS management — SSH connections, server config, and Docker operations on remote hosts.
GitHub source
Agent definition with full safety rules and workflow templates.
Brewtools overview
All brewtools skills and agents in one place.
Updating plugins
/brewtools:plugin-update to check and update the brewcode plugin suite in one command.
See the FAQ for details.