Enterprise feature

Deployment Automation

Turn the manual release checklist — syncing feature flags, env vars, and component versions across environments — into a reviewable, one-click pipeline. The model is inspired by AWS CodePipeline, and nothing is hardwired to one team's setup.

A deployment pipeline has three parts: a Source (where releases are described), ordered Stages, and the Actions inside each stage that do the work. WorkspaceGPT reads the source, computes a diff, and only writes after you approve it.

SourceConfluence rosterJSON file in repoManual / noneStages → ActionsFrontendaction: Vercel — env configBackendaction: GitHub — workflow dispatchReview & applyPlan (diff)ApproveApply / open PR
🧩

Pluggable

Pick a source, then add only the deploy actions your org uses. No provider is baked in; Mars MMS is just a preset.

🛡️

Plan → Approve → Apply

Every change is previewed as a diff you approve. Backend changes open a pull request — never an auto-merge.

🔍

Discover & select

Repos, workflows, projects, and table columns are detected from your connected accounts — pick from dropdowns.

Quickstart

Get a working pipeline in a few minutes by starting from a preset.

1

Enable the feature

In the WorkspaceGPT sidebar, open Settings → Deployment and turn on the toggle.

2

Load a preset

Use the Preset dropdown and choose a ready-made pipeline (or Blank to start fresh). A preset pre-fills the source and actions — everything stays editable.

3

Connect the providers it needs

The Connections section lists only what your pipeline uses. Connect those (see Connections & permissions).

4

Run a release

Open the Releases panel (rocket icon), click Plan to preview the diff, review it, then Approve & apply.

Sources

The source answers “what are we releasing today, and what config does it want?”

Confluence roster

A wiki page with a table mapping each date to a release version (plus optional environment and pilot columns), and a per-release configuration table. WorkspaceGPT auto-detects the columns by their headers; if your headers are non-standard, open Column mapping (auto-detected) and pick them from dropdowns populated by reading the page.

Requires: Confluence connected under Settings → Confluence. The page is read with your existing Confluence auth.

JSON file (Git repo)

For teams that keep release info in version control instead of a wiki. Point the source at a repo, branch, and path; WorkspaceGPT reads it with the GitHub PAT. Expected shape:

json
{
  "releases": [
    {
      "date": "2026-06-26",
      "version": "1.2.3",
      "environment": "stage",
      "pilot": "Jane Doe",
      "config": [
        { "key": "FEATURE_NEW_CHECKOUT", "value": "true", "target": "vercel" },
        { "key": "API_URL", "values": { "stage": "...", "prod": "..." }, "target": "mach" }
      ]
    }
  ]
}

Use value for one value, or values to set per-environment values. target routes each var to an action (vercel or mach).

Manual / None

Manual — you enter the version and environment at run time. None — there's no config source; the desired state comes from the actions themselves (e.g. promoting component versions between environments). Jira source — coming soon

Actions

Each action is one deploy step, run by a provider. Add them to a stage and configure with dropdowns.

ProviderWhat it doesHow it applies
Vercel — env configPushes feature flags / env vars to a Vercel project for the target environment.Direct upsert via the Vercel API.
GitHub — workflow dispatchTriggers a CI workflow that promotes component versions between environments.Opens a PR — never auto-merged.
Repo — file patchEdits a config file in a repo (e.g. merging env vars into main.yml).Commits to the PR branch.

Backend env vars land on the sync PR

The Vercel action diffs against live state and writes immediately. The backend is different: component versions and env vars live in a Git repo behind branch protection, so the GitHub — workflow dispatch action opens a sync pull request first. The Repo — file patch action then diffs your release's backend env vars against main.yml on that PR — not the repo's default branch — and commits any add/update back to the same PR branch as one idempotent commit. A single PR ends up carrying both the component-version bumps and the env-var reconciliation.

Ordering: the file-patch step depends on the sync PR. Run the workflow-dispatch action first, wait for its PR to open, then plan the env vars. Until the PR exists, the step reports “no open sync PR” rather than diffing against the wrong branch.

Reserved for future releases (the seams exist already): blue-green switch, canary, health verify, and rollback.

Connections & permissions

The Settings page shows only the connections your pipeline actually needs.

GitHub (Personal Access Token)

1

Create a classic PAT

In GitHub → Settings → Developer settings → Personal access tokens (classic), create a token with scopes:

repo workflow

2

Authorize SSO (if your org requires it)

On the token page, click Configure SSO and authorize it for each organization that owns the repos. This is the most common cause of failures — an un-authorized token returns 404 on private repos rather than a clear error.

3

Paste it into WorkspaceGPT

In Settings → Deployment → Connections, paste the PAT. WorkspaceGPT validates reachability and shows a green check. The token is stored in encrypted secret storage — never echoed back.

Vercel

Connect via one-click OAuth. In the Vercel action you then pick the project from a dropdown and map each environment (e.g. stage → Preview, prod → Production).

Known limit: a Vercel integration token can't decrypt the values of variables it doesn't own. When that happens, WorkspaceGPT marks the current value as hidden and still classifies the change correctly (present → update, missing → add) — it just can't show the old value in the diff.

Confluence

Reused from the Confluence integration. Needed only when your source is a Confluence roster.

The Releases workflow

Open the Releases panel (rocket icon in the title bar) to run a pipeline.

Each pipeline appears as its own color-coded card Vercel, mach components, and mach main.yml env vars — each with a numbered header and a step tracker (done ✓ / in-progress ● / pending ○). The color tells you which pipeline a button belongs to, and the tracker shows at a glance which step you're on.
1

Resolve

WorkspaceGPT reads the source and shows today's release — version, environment, and pilot. (You can override the version/environment for testing.)

2

Plan

Click Plan to compute a diff against live state. Each variable is classified:

addupdatematch (no-op)conflict (needs ack)
3

Approve & apply

Review the diff and approve. The plan is recomputed server-side (the client diff is never trusted), conflicts block the apply, and only add/update changes are written.

4

Backend → pull request

Workflow-dispatch actions open a PR for human review and poll its status live — the run link and PR link appear as they become available. WorkspaceGPT never merges for you.

5

Sync backend env vars (main.yml)

Once the sync PR is open, the mach main.yml env vars step diffs your release's backend env vars against main.yml on that PR and commits any add/update to the same PR branch. Review and merge the single PR to deploy — it carries both the component-version bumps and the env-var changes.

6

Recent runs

Each apply is recorded to a local audit log and surfaced under Recent runs, with a Retry failed option.

Environments & promotion policy

Declare your environments and the policy for each.

By default, promotions never auto-merge — the safest behavior. In the Environments section you can add an environment by name and opt it into auto-merge individually. Each stage also has a gate (manual by default), so a release pauses for approval between stages.

Tip: leave environments empty unless you specifically want auto-merge for one of them. An empty list means every promotion waits for a human.

AI-assisted page reading

Optional resilience for when a wiki page's structure changes.

A renamed column or reordered table can break a strict parser. Toggle AI-assisted page reading on the Confluence source, and if the normal parse fails, WorkspaceGPT uses your configured chat model (Settings → Model) to read the page.

AI proposes, you approve. The model's output is validated (version looks real, targets known) and shown in the plan diff with its provenance — nothing is applied without your approval. It changes how a page is read, never how a change is decided or written.

Security model

Write access is treated with care.

  • Write-scoped credentials (GitHub PAT, Vercel token) live only in VS Code's encrypted secret storage.
  • They are never written to plaintext settings and never logged.
  • They are excluded from the Chrome share bundle — sharing your setup never shares your write creds.
  • Nothing is applied without an explicit in-app approval; backend changes go through a pull request under branch protection.
  • The apply re-computes the plan server-side and blocks on unresolved conflicts — the client's diff is never trusted.

Troubleshooting

Issues specific to deployment automation.

“No release scheduled for today”
The source has no entry whose date matches today. Check the roster/file date format, or use the override version field in the Releases view to test a specific version.
GitHub returns 404 on a private repo
Your PAT almost certainly isn't SSO-authorized for that organization. Open the token's Configure SSO and authorize it for the org that owns the repo. A valid-but-unauthorized token returns 404, not 403.
Vercel diff shows “(value hidden)”
Integration tokens can't decrypt values they don't own. The change is still classified correctly (update vs add); only the old value is hidden. This is a Vercel platform limit, not a bug.
Roster columns not detected
Open Column mapping (auto-detected) under the Confluence source, click Detect columns, and pick the right header for each field. If the page structure changed, enable AI-assisted page reading.
Dropdowns are empty (repos/workflows)
Make sure the GitHub PAT is saved and reaches the org. Use the ↻ Re-detect button in the action's Repo topology section after connecting.
Backend run never appears after trigger
workflow_dispatch is asynchronous — the run takes a few seconds to register. WorkspaceGPT polls automatically; use the ↻ Recheck button if needed.
main.yml env-var plan says “No open sync PR”
The backend env-var step diffs against the open sync PR, which the GitHub workflow-dispatch (mach sync) action creates. Trigger mach sync first, wait for the PR to open, then plan the main.yml env vars.

FAQ

Quick answers to common questions.

Do I have to use Confluence?
No. Pick the JSON file source to keep releases in a repo, or Manual to enter the version at run time. Confluence is one source among several.
Do I need the GitHub workflow (mach) action?
No. It's just one action provider. A frontend-only team might use only the Vercel action; remove what you don't need.
Will it merge or deploy without me?
Never. Frontend config is written only after you approve; backend changes open a pull request you merge yourself.
Can other teams reuse this?
Yes — that's the point. Start from Blank, pick your source, add your actions, connect your accounts. Mars MMS is just a preset, not the only shape.
Where are my tokens stored?
In VS Code's encrypted secret storage only. They're never in settings, never logged, and never shared via the Chrome bundle.