CI/CD: Deploy Changed Workflows on PR Merge (PROD)

An event-driven deployment system that automatically deploys n8n workflow changes to production when pull requests are merged to the main branch. This workflow provides fast-path deployment by processing only the specific workflow files that changed in each PR, rather than scanning all workflows.

Purpose

No business context provided yet — add a context.md to enrich this documentation.

This workflow serves as the primary CI/CD automation for n8n workflow deployments in a production environment. It eliminates manual deployment steps by automatically detecting workflow changes in GitHub pull requests and deploying them to the live n8n instance. The system ensures that development teams can ship workflow updates quickly while maintaining deployment consistency and tracking.

How It Works

1. GitHub webhook triggers when a pull request event occurs in the experienceeducate/educate-sifa repository
2. Event filtering checks if the PR was actually merged to the main branch (ignores other PR actions)
3. Changed file detection queries the GitHub API to get the list of files modified in the merged PR
4. Workflow file filtering identifies only .json files in the workflows/ directory that weren't deleted
5. Environment setup loads production configuration including n8n API credentials and repository settings
6. Live workflow inventory fetches the current list of workflows from the production n8n instance
7. Deployment planning creates a deployment plan for each changed workflow file
8. Sequential processing handles each workflow file one at a time to avoid conflicts
9. Content retrieval downloads the workflow JSON from GitHub at the merge commit
10. Workflow analysis parses the JSON and determines if it's a new workflow or an update to existing one
11. Deployment routing sends new workflows to first-deploy process, existing workflows to redeploy process
12. Sub-workflow execution calls specialized deployment workflows for the actual n8n API operations
13. Summary generation aggregates deployment results and counts for monitoring

Workflow Diagram

graph TD
    A[GitHub Trigger] --> B[Is Merge to main?]
    B -->|Yes| C[Extract PR Context]
    B -->|No| D[No Op - not a merge]
    C --> E[GET PR Changed Files]
    E --> F[Keep workflow files only]
    F --> G[Globals PROD]
    G --> H[List Live n8n Workflows]
    H --> I[Build Plan - one per changed file]
    I --> J[OneAtATime Loop]
    J --> K[GitHub File:Get]
    K --> L[Decode + Decide]
    L --> M[Route]
    M -->|redeploy| N[Call: Redeploy Ritual]
    M -->|first_deploy| O[Call: First Deploy]
    M -->|blocked| P[NoOp blocked]
    N --> Q[Loop Back]
    O --> Q
    P --> Q
    Q --> R[Aggregate Summary]

Trigger

GitHub Webhook: Listens for pull_request events from the experienceeducate/educate-sifa repository. The workflow only processes events where: - Action is "closed" - Pull request was actually merged (not just closed) - Target branch is "main"

The webhook uses ID a564f4a7-4cee-4233-b413-607162fecdb3 and requires the "Francis Educate Fine Grained Tokens" GitHub credential.

Nodes Used

Node Type	Purpose
GitHub Trigger	Receives webhook events from GitHub when PRs are opened/closed/merged
If/Filter	Filters events to only process merged PRs to main branch
Code	Extracts PR context, builds deployment plans, compares workflows
HTTP Request	Calls GitHub API for PR file lists and n8n API for workflow management
GitHub	Downloads workflow files from the repository
Set	Defines global configuration variables for the production environment
Switch	Routes workflows based on deployment type (new vs update vs blocked)
Execute Workflow	Calls sub-workflows for actual deployment operations
Split in Batches	Processes workflow files sequentially to avoid conflicts
No Operation	Handles skipped or blocked workflows

External Services & Credentials Required

GitHub API: - Credential: "Francis Educate Fine Grained Tokens" (Fine-grained personal access token) - Permissions: Read access to repository contents, pull requests, and webhook events - Repository: experienceeducate/educate-sifa

n8n Production API: - API Key: JWT token for production n8n instance - Base URL: https://n8n.dev.educate-agent.com - Permissions: Full workflow management (create, read, update)

Environment Variables

The workflow uses hardcoded production configuration in the "Globals (PROD)" node:

• env_name: "prod"
• env_url: "https://n8n.dev.educate-agent.com"
• api_key: JWT token for n8n API access
• repo_owner: "experienceeducate"
• repo_name: "educate-sifa"
• repo_branch: "main"
• path_prefix: "workflows/"
• credential_lookup: JSON mapping of credential names to IDs
• allowlist: ["*"] (deploy all workflows by default)

Data Flow

Input: GitHub webhook payload containing pull request event data

Processing: - Extracts PR metadata (number, title, merge commit, changed files) - Filters for workflow JSON files in the workflows/ directory - Downloads each changed workflow file from GitHub - Compares with existing workflows in production n8n - Routes to appropriate deployment sub-workflow

Output: - Deployment summary with counts of workflows processed - Individual workflow deployment results from sub-workflows - PR context preserved throughout for tracking

Error Handling

• GitHub API failures: HTTP requests have retry logic (2-3 attempts with delays)
• Workflow parsing errors: Invalid JSON files are routed to "blocked" status
• Sub-workflow failures: Execute Workflow nodes use "continueRegularOutput" to prevent cascade failures
• Missing workflows: Gracefully handles cases where live workflows don't exist yet
• Network timeouts: 30-second timeouts on all HTTP requests with retry mechanisms

Known Limitations

• Processes maximum 100 changed files per PR (GitHub API pagination limit)
• Sequential processing may be slow for PRs with many workflow changes
• No rollback mechanism if deployment fails partway through
• Hardcoded production configuration requires workflow updates to change environments
• Allowlist functionality exists but is disabled (always deploys all workflows)

Related Workflows

• CICD-Redeploy-Ritual (ID: S1BQfSMseWbNcBna): Handles updates to existing workflows
• CICD-First-Deploy (ID: LI84TqALXx3VYLs3): Handles deployment of new workflows
• CICD-Sync-Deploy: Hourly full-scan fallback that catches anything missed by PR-Deploy

Setup Instructions

1. Import the workflow into your n8n instance
2. Configure GitHub webhook:
   • Set up webhook in your GitHub repository settings
   • Point to your n8n instance webhook URL
   • Select "pull_request" events
   • Use the webhook ID from the GitHub Trigger node
3. Set up credentials:
   • Create "Francis Educate Fine Grained Tokens" GitHub credential with repository access
   • Ensure n8n API key in Globals node has workflow management permissions
4. Update configuration:
   • Modify the "Globals (PROD)" node with your environment details
   • Update repository owner/name if different
   • Adjust n8n instance URL and API key
5. Deploy sub-workflows:
   • Ensure CICD-Redeploy-Ritual and CICD-First-Deploy workflows exist
   • Update Execute Workflow node IDs if they differ
6. Activate the workflow to enable webhook processing
7. Test with a sample PR containing workflow changes to verify deployment