Added a deployment step to github actions#191
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions deployment workflow that builds/pushes the backend Docker image to GHCR and then deploys it to a Linode host over SSH.
Changes:
- Added
.github/workflows/deploy.ymlto build/pushghcr.io/.../muzzle(latest + SHA) and run a remote deploy script on Linode. - Updated CI Docker build tag from
mocker-backend:citomuzzle:ci.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/deploy.yml |
New workflow to publish the backend image to GHCR and trigger a remote Linode deploy via SSH. |
.github/workflows/ci.yml |
Renames the local CI-built Docker image tag. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| # Scoping to a GitHub environment lets you add approval gates and | ||
| # view deployment history in the GitHub UI (Settings > Environments). | ||
| environment: production |
There was a problem hiding this comment.
Deploys can run concurrently if multiple commits are pushed close together, which risks pulling/starting different images out of order on the Linode host. Add a concurrency group (e.g., workflow-level or job-level) to serialize production deployments and optionally cancel in-progress runs when a newer commit is pushed.
| environment: production | |
| environment: production | |
| concurrency: | |
| group: production-deploy | |
| cancel-in-progress: true |
| # line and out of the remote process list. | ||
| env: | ||
| GHCR_TOKEN: ${{ secrets.GHCR_PAT }} | ||
| GHCR_USER: ${{ github.actor }} |
There was a problem hiding this comment.
The remote docker login uses GHCR_USER set to github.actor, but GHCR_TOKEN is a fixed PAT secret; if a different actor triggers the workflow (e.g., another maintainer or Dependabot), the username may not match the PAT owner and the login can fail. Use a stable username (commonly ${{ github.repository_owner }}) or store the intended GHCR username alongside the PAT in secrets.
| GHCR_USER: ${{ github.actor }} | |
| GHCR_USER: ${{ github.repository_owner }} |
| with: | ||
| host: ${{ secrets.LINODE_HOST }} | ||
| username: ${{ secrets.LINODE_USER }} | ||
| password: ${{ secrets.LINODE_PASSWORD }} |
There was a problem hiding this comment.
This workflow authenticates to the Linode host using an SSH password (LINODE_PASSWORD). Prefer key-based SSH authentication (with key/key_path) to reduce the risk of credential exposure and to align with common hardening practices for production deployment access.
| password: ${{ secrets.LINODE_PASSWORD }} | |
| key: ${{ secrets.LINODE_SSH_KEY }} |
No description provided.