Add automated deployment with backups and rollback #12
Conversation
jnation3406
left a comment
jnation3406
left a comment
There was a problem hiding this comment.
I'm worried about leaking env variables in the logs - not sure if that happens but we better make sure before it runs or well have to change it all.
Also, I think the development branch being deployed on push is fine, but the main branch should probably be on either tag or release, not just push to the main branch. That way the container it generates will have a clear tag associated with it rather than a commit hash, so its easier to know what version is deployed and see what you are rolling back to.
| echo "ENV_FILE=${{ secrets.DEV_LOCAL_ENV_FILE }}" >> $GITHUB_OUTPUT | ||
| echo "DEPLOY_PATH=/home/exouser/heroic-frontend" >> $GITHUB_OUTPUT | ||
| echo "BACKUP_PATH=/home/exouser/backups/frontend" >> $GITHUB_OUTPUT | ||
| fi |
There was a problem hiding this comment.
Does this print those things into the github actions log? I think that is all publicly accessible since this is a public repo...
There was a problem hiding this comment.
Thanks for the heads up. GithHub logs are protected and should mask those values with "x".
.github/workflows/deploy.yml
Outdated
| - name: Setup SSH | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| echo "${{ steps.set-env.outputs.SSH_KEY }}" > ~/.ssh/deploy_key |
There was a problem hiding this comment.
same comment as above, worried this might leak out in the github actions log...
There was a problem hiding this comment.
I've updated the workflow to:
- Use heredoc instead of echo for writing secrets
Also: - Changed production deployment to tag-based (no auto-deploy on main push)
- Added version tracking for clearer rollbacks
.github/workflows/deploy.yml
Outdated
| echo "❌ Frontend deployment to ${{ steps.set-env.outputs.ENVIRONMENT }} failed" | ||
| echo "🔄 Automatic rollback was attempted" | ||
| exit 1 | ||
| fi No newline at end of file |
|
|
||
| echo "" | ||
| echo "4. Building and starting frontend services..." | ||
| docker compose build --no-cache frontend |
There was a problem hiding this comment.
Building the docker container should probably be done in an earlier step so it can just be pulled down rather than built here - same for the rollback to a previous version. You can store public project images in githubs registry (ghcr.io). Here is an example from a different project: https://github.com/observatorycontrolsystem/observation-portal/blob/main/.github/workflows/publish-docker.yaml
There was a problem hiding this comment.
Still working in this one, will give heads up when done.
- Use heredoc for SSH key and env file creation (more secure) - Change production trigger from branch push to tag push - Add version tracking with .deployed_version file - Update backup/rollback to include version information Addresses feedback from PR review.
Added the secrets and variables to GitHub and created the .yml file to achieve automatic deployment. I added backup creation and rollbacks in case of deploy-failure. It also considers the correct backend deploy order given that frontend and backend share the same docker-compose network.