AztecProtocol · PhilWindle · Jun 9, 2026 · Jun 9, 2026
@@ -250,6 +250,7 @@ jobs:
           DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
           DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+          INTERNAL_DOCKER_REGISTRY: ${{ secrets.INTERNAL_DOCKER_REGISTRY }}
           CI3_INSTANCE_PROFILE_NAME: ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
           CI3_SECURITY_GROUP_ID: ${{ secrets.CI3_SECURITY_GROUP_ID }}
           RUN_ID: ${{ github.run_id }}
@@ -265,7 +266,16 @@ jobs:
             tag="${tag#v}"
             major_version=$(./ci3/semver major "$tag")
             namespace="v${major_version}-scenario"
-            docker_image="aztecprotocol/aztec:${tag}"
+            case "$GITHUB_REPOSITORY" in
+              AztecProtocol/aztec-packages-private)
+                image_registry="${INTERNAL_DOCKER_REGISTRY%/}"
+                echo "::add-mask::${image_registry}"
+                ;;
+              *)
+                image_registry="aztecprotocol"
+                ;;
+            esac
+            docker_image="${image_registry}/aztec:${tag}"
           else
             # branch name
             namespace=pr-$(echo "$HEAD_REF" | sed 's/[^a-z0-9-]/-/g' | cut -c1-20 | sed 's/-*$//')

@@ -47,11 +47,11 @@ on:
         description: "Source tag that triggered this deploy"
         required: false
         type: string
-      notify_on_failure:
-        description: "Whether this workflow should send its own failure notification"
+      skip_notify_on_failure:
+        description: "Whether this workflow should skip its own failure notification"
         required: false
         type: boolean
-        default: true
+        default: false
   workflow_dispatch:
     inputs:
       network:
@@ -60,7 +60,8 @@ on:
         type: choice
         options:
           - next-net
-          - staging
+          - staging-public
+          - staging-internal
           - testnet
           - mainnet
       semver:
@@ -97,11 +98,6 @@ on:
         description: "Source tag that triggered this deploy"
         required: false
         type: string
-      notify_on_failure:
-        description: "Whether this workflow should send its own failure notification"
-        required: false
-        type: boolean
-        default: true
 
 concurrency:
   group: deploy-network-${{ inputs.network }}-${{ inputs.namespace || inputs.network }}-${{ inputs.aztec_docker_image || inputs.semver }}-${{ github.ref || github.ref_name }}
@@ -254,8 +250,6 @@ jobs:
           VALIDATOR_HA_DOCKER_IMAGE: ${{ inputs.ha_docker_image || '' }}
         run: |
           echo "Deploying network: ${{ inputs.network }}"
-          echo "Using image: $AZTEC_DOCKER_IMAGE"
-          echo "Using prover image: $PROVER_AGENT_DOCKER_IMAGE"
           echo "Using branch/ref: ${{ steps.checkout-ref.outputs.ref }}"
 
           cd spartan
@@ -280,15 +274,14 @@ jobs:
             echo "| Item | Value |"
             echo "|------|-------|"
             echo "| Network | \`${{ inputs.network }}\` |"
-            echo "| Docker Image | \`${{ env.AZTEC_DOCKER_IMAGE }}\` |"
             echo "| Ref | \`${{ steps.checkout-ref.outputs.ref }}\` |"
             if [[ -n "${{ inputs.source_tag }}" ]]; then
               echo "| Source Tag | [\`${{ inputs.source_tag }}\`](https://github.com/${{ github.repository }}/releases/tag/${{ inputs.source_tag }}) |"
             fi
           } >> "$GITHUB_STEP_SUMMARY"
 
       - name: Notify Slack and dispatch ClaudeBox on failure
-        if: failure() && inputs.notify_on_failure
+        if: failure() && !inputs.skip_notify_on_failure
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
           GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
@@ -300,7 +293,7 @@ jobs:
 
           CHANNEL="#alerts-${{ inputs.network }}"
           RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          TEXT="Deploy Network workflow FAILED for *${{ inputs.network }}* (image ${{ env.AZTEC_DOCKER_IMAGE }}): <${RUN_URL}|View Run> (🤖)"
+          TEXT="Deploy Network workflow FAILED for *${{ inputs.network }}*: <${RUN_URL}|View Run> (🤖)"
 
           # Post to Slack and capture timestamp for permalink
           RESP=$(curl -sS -X POST https://slack.com/api/chat.postMessage \
@@ -318,11 +311,10 @@ jobs:
           fi
 
           # Dispatch ClaudeBox to investigate the failure
-          PROMPT="Deployment of ${{ inputs.network }} (image ${{ env.AZTEC_DOCKER_IMAGE }}) failed. \
+          PROMPT="Deployment of ${{ inputs.network }} failed. \
           Follow .claude/claudebox/deploy-investigation.md to investigate. \
           GitHub Actions run: ${RUN_URL}. \
           Network: ${{ inputs.network }}. \
-          Docker image: ${{ env.AZTEC_DOCKER_IMAGE }}. \
           Git ref: ${{ steps.checkout-ref.outputs.ref }}. \
           Namespace: ${{ inputs.namespace || inputs.network }}. \
           Deploy contracts: ${{ inputs.deploy_contracts }}."

@@ -1,6 +1,6 @@
 # Deploy next-net environment
 # This workflow deploys the next-net environment with a specified version
-# Runs nightly with the latest nightly tag, or can be manually triggered with any image
+# Runs from the private repo's next branch with the latest nightly tag, or a manually supplied tag
 name: Deploy Next Net
 
 on:
@@ -10,7 +10,7 @@ on:
   workflow_dispatch:
     inputs:
       image_tag:
-        description: "Docker image tag (e.g., 2.3.4, 3.0.0-nightly.20251004-amd64, or leave empty for latest nightly)"
+        description: "Docker image tag/semver (e.g., 6.0.0-nightly.20260609, or leave empty for latest nightly)"
         required: false
         type: string
       deploy_contracts:
@@ -25,57 +25,42 @@ concurrency:
 
 jobs:
   get-image-tag:
-    if: ${{ github.event_name != 'schedule' || github.repository == 'AztecProtocol/aztec-packages' }}
+    if: ${{ github.repository == 'AztecProtocol/aztec-packages-private' }}
     runs-on: ubuntu-latest
     outputs:
-      tag: ${{ steps.determine_tag.outputs.TAG }}
       semver: ${{ steps.determine_tag.outputs.SEMVER }}
 
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          ref: next
 
       - name: Determine image tag
         id: determine_tag
         run: |
           if [[ -n "${{ inputs.image_tag }}" ]]; then
-            # Manual trigger with specified tag
-            TAG="${{ inputs.image_tag }}"
-            echo "Using manually specified tag: $TAG"
-
-            # Extract semver (remove -amd64 suffix if present)
-            SEMVER=$(echo "$TAG" | sed 's/-amd64$//')
+            SEMVER="${{ inputs.image_tag }}"
+            SEMVER="${SEMVER#v}"
+            SEMVER="${SEMVER%-amd64}"
+            echo "Using manually specified tag: $SEMVER"
           else
-            # Scheduled nightly run - get latest nightly tag
             current_version=$(jq -r '."."' .release-please-manifest.json)
             echo "Current version: $current_version"
 
-            # Format the tag as: <current_version>-nightly.<YYYYMMDD>-amd64
-            nightly_semver="${current_version}-nightly.$(date -u +%Y%m%d)"
-            nightly_tag="${nightly_semver}-amd64"
-
-            # Check if the tag exists on docker hub
-            TAGS=$(curl -s https://registry.hub.docker.com/v2/repositories/aztecprotocol/aztec/tags/$nightly_tag)
-            if [[ "$TAGS" != *"not found"* ]]; then
-              TAG="$nightly_tag"
-              SEMVER="$nightly_semver"
-              echo "Using nightly tag: $TAG"
-            else
-              echo "Error: Tag $nightly_tag not published to docker hub"
-              exit 1
-            fi
+            SEMVER="${current_version}-nightly.$(date -u +%Y%m%d)"
+            echo "Using nightly tag: $SEMVER"
           fi
 
-          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
           echo "SEMVER=$SEMVER" >> "$GITHUB_OUTPUT"
 
   deploy-next-net:
     needs: get-image-tag
-    if: ${{ github.event_name != 'schedule' || github.repository == 'AztecProtocol/aztec-packages' }}
+    if: ${{ github.repository == 'AztecProtocol/aztec-packages-private' }}
     uses: ./.github/workflows/deploy-network.yml
     with:
       network: next-net
       semver: ${{ needs.get-image-tag.outputs.semver }}
-      aztec_docker_image: "aztecprotocol/aztec:${{ needs.get-image-tag.outputs.tag }}"
-      ref: ${{ github.ref }}
+      ref: next
+      use_internal_docker_registry: true
       deploy_contracts: ${{ github.event_name == 'schedule' || inputs.deploy_contracts == true }}
     secrets: inherit
@@ -0,0 +1,87 @@
+name: Deploy to staging internal
+
+on:
+  schedule:
+    - cron: "0 7 * * *"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to deploy (v5.0.0 or any v5.0.0 prerelease). Leave empty to use today's nightly tag."
+        required: false
+        type: string
+      deploy_contracts:
+        description: "Redeploy rollup contracts before deploying infra."
+        required: false
+        type: boolean
+        default: false
+
+concurrency:
+  group: deploy-staging-internal
+  cancel-in-progress: true
+
+env:
+  GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+
+jobs:
+  determine-tag:
+    runs-on: ubuntu-latest
+    if: >-
+      (github.event_name == 'workflow_dispatch' ||
+      github.event_name == 'schedule') &&
+      (github.event_name != 'schedule' ||
+      github.repository == 'AztecProtocol/aztec-packages-private')
+    outputs:
+      tag: ${{ steps.resolve.outputs.tag }}
+      semver: ${{ steps.resolve.outputs.semver }}
+    steps:
+      - name: Checkout v5-next
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          ref: v5-next
+          token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Resolve nightly tag
+        id: resolve
+        run: |
+          if [[ -n "${{ inputs.tag }}" ]]; then
+            TAG="${{ inputs.tag }}"
+            echo "Using manually specified tag: $TAG"
+          else
+            TAG="v5.0.0-nightly.$(date -u +%Y%m%d)"
+            echo "Using today's nightly tag: $TAG"
+          fi
+
+          SEMVER="${TAG#v}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "semver=$SEMVER" >> $GITHUB_OUTPUT
+
+  wait-for-ci3:
+    needs: determine-tag
+    if: ${{ github.event_name != 'schedule' || github.repository == 'AztecProtocol/aztec-packages-private' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          fetch-depth: 1
+
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
+        with:
+          node-version: 22
+
+      - name: Wait for CI3
+        run: spartan/scripts/wait_for_ci3.ts "${{ needs.determine-tag.outputs.tag }}"
+
+  deploy:
+    needs: [determine-tag, wait-for-ci3]
+    if: ${{ github.event_name != 'schedule' || github.repository == 'AztecProtocol/aztec-packages-private' }}
+    uses: ./.github/workflows/deploy-network.yml
+    with:
+      network: staging-internal
+      semver: ${{ needs.determine-tag.outputs.semver }}
+      source_tag: ${{ needs.determine-tag.outputs.tag }}
+      deploy_contracts: ${{ inputs.deploy_contracts == true }}
+      use_internal_docker_registry: true
+    secrets: inherit
@@ -1,4 +1,4 @@
-name: Deploy to staging
+name: Deploy to staging public
 
 on:
   schedule:
@@ -16,7 +16,7 @@ on:
         default: false
 
 concurrency:
-  group: deploy-staging
+  group: deploy-staging-public
   cancel-in-progress: true
 
 env:
@@ -52,11 +52,6 @@ jobs:
             echo "Using today's nightly tag: $TAG"
           fi
 
-          if [[ ! "$TAG" =~ ^v5\.0\.0($|-.*) ]]; then
-            echo "Error: Staging deploys require a v5.0.0 tag or prerelease, got '$TAG'"
-            exit 1
-          fi
-
           SEMVER="${TAG#v}"
           echo "tag=$TAG" >> $GITHUB_OUTPUT
           echo "semver=$SEMVER" >> $GITHUB_OUTPUT
@@ -84,9 +79,8 @@ jobs:
     if: ${{ github.event_name != 'schedule' || github.repository == 'AztecProtocol/aztec-packages' }}
     uses: ./.github/workflows/deploy-network.yml
     with:
-      network: staging
+      network: staging-public
       semver: ${{ needs.determine-tag.outputs.semver }}
-      use_internal_docker_registry: true
       source_tag: ${{ needs.determine-tag.outputs.tag }}
       deploy_contracts: ${{ inputs.deploy_contracts == true }}
     secrets: inherit
@@ -6,7 +6,7 @@ on:
   workflow_call:
     inputs:
       environment:
-        description: 'Environment to fund (e.g., staging, next-net, testnet)'
+        description: 'Environment to fund (e.g., staging-public, staging-internal, next-net, testnet)'
         required: true
         type: string
       low_watermark:
@@ -30,7 +30,8 @@ on:
         required: true
         type: choice
         options:
-        - staging
+        - staging-public
+        - staging-internal
         - next-net
         - testnet
         - devnet

@@ -50,7 +50,8 @@ jobs:
         run: |
           # Static environments
           static='[
-            {"environment":"staging"},
+            {"environment":"staging-public"},
+            {"environment":"staging-internal"},
             {"environment":"next-net"},
             {"environment":"testnet"}
           ]'

@@ -9,7 +9,7 @@ on:
         description: 'Comma-separated list of networks to check (default: all)'
         required: false
         type: string
-        default: 'testnet,mainnet,staging,next-net'
+        default: 'testnet,mainnet,staging-public,staging-internal,next-net'
 
 jobs:
   healthcheck:
@@ -25,7 +25,7 @@ jobs:
           GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
           CI: "1"
         run: |
-          NETWORKS="${{ inputs.networks || 'next-net,staging,testnet,mainnet' }}"
+          NETWORKS="${{ inputs.networks || 'next-net,staging-public,staging-internal,testnet,mainnet' }}"
 
           PROMPT="Run a network healthcheck for: ${NETWORKS}.
 

@@ -100,7 +100,7 @@ jobs:
       namespace: bench-10tps
       aztec_docker_image: ${{ needs.select-image.outputs.docker_image }}
       ref: ${{ needs.select-image.outputs.source_ref }}
-      notify_on_failure: false
+      skip_notify_on_failure: true
     secrets: inherit
 
   wait-for-first-l2-block: