fix: promote :latest only after health+smoke checks pass
All checks were successful
Deploy Internet for Kids / Build & Push (push) Successful in 12s
Deploy Internet for Kids / Deploy (push) Successful in 6s
Deploy Internet for Kids / Health Check (push) Successful in 2s
Deploy Internet for Kids / Smoke Tests (push) Successful in 3s
Deploy Internet for Kids / Promote to Latest (push) Successful in 1s
Deploy Internet for Kids / Rollback (push) Has been skipped
Deploy Internet for Kids / Audit (push) Successful in 2s
All checks were successful
Deploy Internet for Kids / Build & Push (push) Successful in 12s
Deploy Internet for Kids / Deploy (push) Successful in 6s
Deploy Internet for Kids / Health Check (push) Successful in 2s
Deploy Internet for Kids / Smoke Tests (push) Successful in 3s
Deploy Internet for Kids / Promote to Latest (push) Successful in 1s
Deploy Internet for Kids / Rollback (push) Has been skipped
Deploy Internet for Kids / Audit (push) Successful in 2s
Previously, :latest was pushed during build before any validation. If health checks failed, rollback restored locally but Watchtower re-pulled the broken :latest from registry, undoing the rollback. Now: build pushes only SHA tag, deploy uses SHA tag locally, new promote job pushes :latest only after smoke tests pass. Rollback also pushes restored image as :latest to registry. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Christian Gick
@@ -50,10 +50,8 @@ jobs:
|
||||
run: |
|
||||
DOCKER_BUILDKIT=1 docker build --pull \
|
||||
-t ${{ env.IMAGE }}:${{ github.sha }} \
|
||||
-t ${{ env.IMAGE }}:latest \
|
||||
.
|
||||
docker push ${{ env.IMAGE }}:${{ github.sha }}
|
||||
docker push ${{ env.IMAGE }}:latest
|
||||
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
@@ -87,9 +85,10 @@ jobs:
|
||||
# Sync docker-compose.yml and deploy
|
||||
scp docker-compose.yml ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }}:${{ env.DEPLOY_PATH }}/docker-compose.yml
|
||||
|
||||
ssh ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }} << 'EOF'
|
||||
ssh ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }} << EOF
|
||||
cd /opt/apps/internetforkids
|
||||
docker pull gitea.agiliton.internal:3000/christian/internetforkids:latest
|
||||
docker pull ${{ env.IMAGE }}:${{ github.sha }}
|
||||
docker tag ${{ env.IMAGE }}:${{ github.sha }} ${{ env.IMAGE }}:latest
|
||||
docker compose up -d --force-recreate --remove-orphans
|
||||
EOF
|
||||
|
||||
@@ -164,6 +163,22 @@ jobs:
|
||||
fi
|
||||
echo "All smoke tests passed"
|
||||
|
||||
promote:
|
||||
name: Promote to Latest
|
||||
runs-on: ubuntu-latest
|
||||
needs: [smoke-test]
|
||||
steps:
|
||||
- name: Login to registry
|
||||
run: |
|
||||
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u christian --password-stdin
|
||||
|
||||
- name: Tag and push latest
|
||||
run: |
|
||||
docker pull ${{ env.IMAGE }}:${{ github.sha }}
|
||||
docker tag ${{ env.IMAGE }}:${{ github.sha }} ${{ env.IMAGE }}:latest
|
||||
docker push ${{ env.IMAGE }}:latest
|
||||
echo "Promoted ${{ github.sha }} to :latest"
|
||||
|
||||
rollback:
|
||||
name: Rollback
|
||||
runs-on: ubuntu-latest
|
||||
@@ -186,6 +201,8 @@ jobs:
|
||||
cd ${{ env.DEPLOY_PATH }}
|
||||
docker tag $PREVIOUS ${{ env.IMAGE }}:latest
|
||||
docker compose up -d --force-recreate
|
||||
# Push rolled-back image as :latest so Watchtower doesn't re-pull broken
|
||||
docker push ${{ env.IMAGE }}:latest
|
||||
EOF
|
||||
|
||||
- name: Verify rollback
|
||||
@@ -201,7 +218,7 @@ jobs:
|
||||
audit:
|
||||
name: Audit
|
||||
runs-on: ubuntu-latest
|
||||
needs: [deploy, health-check, smoke-test, rollback]
|
||||
needs: [deploy, health-check, smoke-test, promote, rollback]
|
||||
if: always()
|
||||
steps:
|
||||
- name: Setup SSH
|
||||
|
||||
Reference in New Issue
Block a user