From 6609fb3623c0ad9b815860931977b028ab9e04e3 Mon Sep 17 00:00:00 2001
From: Dave Evans <dave.evans@thedatalab.org>
Date: Mon, 16 Feb 2026 16:34:48 +0000
Subject: [PATCH] Fix deployment workflow

For context see:
https://bennettoxford.slack.com/archives/C63UXGB8E/p1771253203298999
---
 .github/workflows/build_and_publish.yaml | 34 +++++++++++++++++++-----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build_and_publish.yaml b/.github/workflows/build_and_publish.yaml
index bc8ddf5..f03506b 100644
--- a/.github/workflows/build_and_publish.yaml
+++ b/.github/workflows/build_and_publish.yaml
@@ -4,9 +4,11 @@ on:
     branches: [main]
   workflow_dispatch:
 env:
-  SSH_AUTH_SOCK: /tmp/agent.sock
+  APP_NAME: proxy
   IMAGE_NAME: opensafely-proxy
-  IMAGE_ID: ghcr.io/opensafely-core/opensafely-proxy
+  PUBLIC_IMAGE_NAME: ghcr.io/opensafely-core/opensafely-proxy
+  HOST: dokku4.ebmdatalab.net
+  SSH_AUTH_SOCK: /tmp/agent.sock
 permissions:
   packages: write
 jobs:
@@ -24,14 +26,32 @@ jobs:
       run: docker login https://ghcr.io -u ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
     - name: Push image to GitHub Container Registry
       run: |
-        docker tag $IMAGE_NAME $IMAGE_ID:latest
-        docker push $IMAGE_ID:latest
+        docker tag $IMAGE_NAME $PUBLIC_IMAGE_NAME:latest
+        docker push $PUBLIC_IMAGE_NAME:latest
     - name: Setup SSH Agent
       run: |
           ssh-agent -a $SSH_AUTH_SOCK > /dev/null
           ssh-add - <<< "${{ secrets.DOKKU4_DEPLOY_SSH_KEY }}"
-    - name: Deploy
+    - name: Deploy image
       run: |
-          SHA=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_ID:latest)
-          ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" dokku@dokku4.ebmdatalab.net git:from-image proxy $SHA
+          set -euo pipefail
+
+          # Find the full qualified "repo digest" for this image
+          IMAGE_DIGEST="$(
+            docker inspect --format='{{join .RepoDigests "\n"}}' "$PUBLIC_IMAGE_NAME:latest" \
+              | grep --fixed-strings "$PUBLIC_IMAGE_NAME" || true
+          )"
+          # Fail if we have none or more than one (as indicated by the presence of whitespace)
+          if [[ -z "$IMAGE_DIGEST" || "$IMAGE_DIGEST" =~ [[:space:]] ]]; then
+            echo "Expected exactly one value in IMAGE_DIGEST, got: $IMAGE_DIGEST"
+            echo
+            echo "Debug info:"
+            set -x
+            docker inspect --format='{{join .RepoDigests "\n"}}' "$PUBLIC_IMAGE_NAME:latest"
+            exit 1
+          fi
 
+          echo "Deploying to $HOST"
+          echo "dokku git:from-image $APP_NAME $IMAGE_DIGEST"
+          ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" \
+            "dokku@$HOST" git:from-image "$APP_NAME" "$IMAGE_DIGEST"