Skip to content

Fix deployment workflow #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rebkwok merged 1 commit into from
Feb 17, 2026
Merged

Fix deployment workflow #73

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions .github/workflows/build_and_publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@ on:
branches: [main]
workflow_dispatch:
env:
SSH_AUTH_SOCK: /tmp/agent.sock
APP_NAME: proxy
IMAGE_NAME: opensafely-proxy
IMAGE_ID: ghcr.io/opensafely-core/opensafely-proxy
PUBLIC_IMAGE_NAME: ghcr.io/opensafely-core/opensafely-proxy
HOST: dokku4.ebmdatalab.net
SSH_AUTH_SOCK: /tmp/agent.sock
permissions:
packages: write
jobs:
Expand All @@ -24,14 +26,32 @@ jobs:
run: docker login https://ghcr.io -u ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
- name: Push image to GitHub Container Registry
run: |
docker tag $IMAGE_NAME $IMAGE_ID:latest
docker push $IMAGE_ID:latest
docker tag $IMAGE_NAME $PUBLIC_IMAGE_NAME:latest
docker push $PUBLIC_IMAGE_NAME:latest
- name: Setup SSH Agent
run: |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
ssh-add - <<< "${{ secrets.DOKKU4_DEPLOY_SSH_KEY }}"
- name: Deploy
- name: Deploy image
run: |
SHA=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_ID:latest)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" dokku@dokku4.ebmdatalab.net git:from-image proxy $SHA
set -euo pipefail

# Find the full qualified "repo digest" for this image
IMAGE_DIGEST="$(
docker inspect --format='{{join .RepoDigests "\n"}}' "$PUBLIC_IMAGE_NAME:latest" \
| grep --fixed-strings "$PUBLIC_IMAGE_NAME" || true
)"
# Fail if we have none or more than one (as indicated by the presence of whitespace)
if [[ -z "$IMAGE_DIGEST" || "$IMAGE_DIGEST" =~ [[:space:]] ]]; then
echo "Expected exactly one value in IMAGE_DIGEST, got: $IMAGE_DIGEST"
echo
echo "Debug info:"
set -x
docker inspect --format='{{join .RepoDigests "\n"}}' "$PUBLIC_IMAGE_NAME:latest"
exit 1
fi

echo "Deploying to $HOST"
echo "dokku git:from-image $APP_NAME $IMAGE_DIGEST"
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" \
"dokku@$HOST" git:from-image "$APP_NAME" "$IMAGE_DIGEST"