Skip to content

Commit 6985cc0

Browse files
codesarkcodesark
committed
Update deployment workflow to include SSH user for improved security and clarity. Adjusted SSH commands to utilize the new DEPLOYMENT_USER secret for all deployment steps.
1 parent dec7647 commit 6985cc0

1 file changed

Lines changed: 15 additions & 14 deletions

File tree

.github/workflows/build-push-deploy.yml

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# Required secrets (repository/organization):
22
# DOCKER_USER, DOCKER_TOKEN - Docker Hub login
33
# DEPLOYMENT_KEY - SSH private key for deploy host
4+
# DEPLOYMENT_USER - SSH user on deploy host (e.g. root)
45
# DEPLOYMENT_HOST, DEPLOYMENT_PORT - deploy server
56
# SMTP_HOST, SMTP_PORT, SMTP_SECURE, SMTP_USER, SMTP_PASS, SMTP_FROM, SMTP_TO
67
# Optional vars (defaults in workflow): SMTP_FROM_NAME, NEXT_PUBLIC_SITE_URL
@@ -96,11 +97,11 @@ jobs:
9697

9798
- name: Add SSH known hosts
9899
run: |
99-
ssh-keyscan -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
100+
ssh-keyscan -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
100101
101102
- name: Create deployment directory
102103
run: |
103-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
104+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
104105
"mkdir -p ${{ env.DEPLOYMENT_DIR }}"
105106
106107
- name: Generate docker-compose.yml from template
@@ -112,7 +113,7 @@ jobs:
112113
run: |
113114
scp -P ${{ secrets.DEPLOYMENT_PORT }} \
114115
/tmp/docker-compose.yml \
115-
${{ secrets.DEPLOYMENT_HOST }}:${{ env.DEPLOYMENT_DIR }}/docker-compose.yml
116+
${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }}:${{ env.DEPLOYMENT_DIR }}/docker-compose.yml
116117
117118
- name: Create and deploy .env from secrets
118119
env:
@@ -139,19 +140,19 @@ jobs:
139140
} > /tmp/deploy.env
140141
base64 -w0 /tmp/deploy.env > /tmp/deploy.env.b64
141142
scp -P ${{ secrets.DEPLOYMENT_PORT }} /tmp/deploy.env.b64 \
142-
${{ secrets.DEPLOYMENT_HOST }}:${{ env.DEPLOYMENT_DIR }}/.env.b64
143-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
143+
${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }}:${{ env.DEPLOYMENT_DIR }}/.env.b64
144+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
144145
"cd ${{ env.DEPLOYMENT_DIR }} && base64 -d .env.b64 > .env && chmod 600 .env && rm -f .env.b64"
145146
146147
- name: Login to Docker Hub on deployment host
147148
run: |
148-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
149+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
149150
"echo '${{ secrets.DOCKER_TOKEN }}' | docker login ${{ env.DOCKER_REGISTRY }} -u '${{ secrets.DOCKER_USER }}' --password-stdin"
150151
151152
- name: Check existing deployment
152153
id: check-existing
153154
run: |
154-
if ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
155+
if ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
155156
"test -f ${{ env.DEPLOYMENT_DIR }}/docker-compose.yml"; then
156157
echo "exists=true" >> $GITHUB_OUTPUT
157158
echo "Existing docker-compose.yml found"
@@ -163,7 +164,7 @@ jobs:
163164
- name: Stop existing containers (if running)
164165
if: steps.check-existing.outputs.exists == 'true'
165166
run: |
166-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
167+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
167168
"cd ${{ env.DEPLOYMENT_DIR }} && \
168169
if docker compose ps -q | grep -q .; then \
169170
echo 'Stopping existing containers...'; \
@@ -174,22 +175,22 @@ jobs:
174175
175176
- name: Pull Docker image
176177
run: |
177-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
178+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
178179
"docker pull ${{ needs.build-and-push.outputs.full_image }}"
179180
180181
- name: Deploy with docker compose
181182
run: |
182-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
183+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
183184
"cd ${{ env.DEPLOYMENT_DIR }} && docker compose up -d --remove-orphans"
184185
185186
- name: Verify deployment
186187
run: |
187-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
188+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
188189
"cd ${{ env.DEPLOYMENT_DIR }} && docker compose ps"
189190
190191
- name: Check container health
191192
run: |
192-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
193+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
193194
"cd ${{ env.DEPLOYMENT_DIR }} && \
194195
if docker compose ps --format json | grep -q '\"State\":\"running\"'; then \
195196
echo 'Container is running'; \
@@ -202,7 +203,7 @@ jobs:
202203
- name: Show container logs (if needed)
203204
if: failure()
204205
run: |
205-
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_HOST }} \
206+
ssh -p ${{ secrets.DEPLOYMENT_PORT }} ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }} \
206207
"cd ${{ env.DEPLOYMENT_DIR }} && docker compose logs --tail=50"
207208
208209
- name: Deployment info
@@ -211,5 +212,5 @@ jobs:
211212
echo " Image: ${{ needs.build-and-push.outputs.full_image }}"
212213
echo " Tag: ${{ needs.build-and-push.outputs.image_tag }}"
213214
echo " SHA: ${{ needs.build-and-push.outputs.sha_short }}"
214-
echo " Host: ${{ secrets.DEPLOYMENT_HOST }}"
215+
echo " Host: ${{ secrets.DEPLOYMENT_USER }}@${{ secrets.DEPLOYMENT_HOST }}"
215216
echo " Directory: ${{ env.DEPLOYMENT_DIR }}"

0 commit comments

Comments
 (0)