christian/internetforkids
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: promote :latest only after health+smoke checks pass
All checks were successful
Deploy Internet for Kids / Build & Push (push) Successful in 12s
Details
Deploy Internet for Kids / Deploy (push) Successful in 6s
Details
Deploy Internet for Kids / Health Check (push) Successful in 2s
Details
Deploy Internet for Kids / Smoke Tests (push) Successful in 3s
Details
Deploy Internet for Kids / Promote to Latest (push) Successful in 1s
Details
Deploy Internet for Kids / Rollback (push) Has been skipped
Details
Deploy Internet for Kids / Audit (push) Successful in 2s
Details

Browse Source 
Previously, :latest was pushed during build before any validation.
If health checks failed, rollback restored locally but Watchtower
re-pulled the broken :latest from registry, undoing the rollback.

Now: build pushes only SHA tag, deploy uses SHA tag locally,
new promote job pushes :latest only after smoke tests pass.
Rollback also pushes restored image as :latest to registry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Christian Gick
2026-04-03 07:06:25 +03:00
parent 19c720b55f
commit 05a648b096
1 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.gitea/workflows/deploy.yml
View File

@@ -50,10 +50,8 @@ jobs:
run: | run: |
DOCKER_BUILDKIT=1 docker build --pull \ DOCKER_BUILDKIT=1 docker build --pull \
-t ${{ env.IMAGE }}:${{ github.sha }} \ -t ${{ env.IMAGE }}:${{ github.sha }} \
-t ${{ env.IMAGE }}:latest \
. .
docker push ${{ env.IMAGE }}:${{ github.sha }} docker push ${{ env.IMAGE }}:${{ github.sha }}
docker push ${{ env.IMAGE }}:latest
- name: Cleanup - name: Cleanup
if: always() if: always()
@@ -87,9 +85,10 @@ jobs:
# Sync docker-compose.yml and deploy # Sync docker-compose.yml and deploy
scp docker-compose.yml ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }}:${{ env.DEPLOY_PATH }}/docker-compose.yml scp docker-compose.yml ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }}:${{ env.DEPLOY_PATH }}/docker-compose.yml
ssh ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }} << 'EOF' ssh ${{ env.REMOTE_USER }}@${{ env.REMOTE_HOST }} << EOF
cd /opt/apps/internetforkids cd /opt/apps/internetforkids
docker pull gitea.agiliton.internal:3000/christian/internetforkids:latest docker pull ${{ env.IMAGE }}:${{ github.sha }}
docker tag ${{ env.IMAGE }}:${{ github.sha }} ${{ env.IMAGE }}:latest
docker compose up -d --force-recreate --remove-orphans docker compose up -d --force-recreate --remove-orphans
EOF EOF
@@ -164,6 +163,22 @@ jobs:
fi fi
echo "All smoke tests passed" echo "All smoke tests passed"
promote:
name: Promote to Latest
runs-on: ubuntu-latest
needs: [smoke-test]
steps:
- name: Login to registry
run: |
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u christian --password-stdin
- name: Tag and push latest
run: |
docker pull ${{ env.IMAGE }}:${{ github.sha }}
docker tag ${{ env.IMAGE }}:${{ github.sha }} ${{ env.IMAGE }}:latest
docker push ${{ env.IMAGE }}:latest
echo "Promoted ${{ github.sha }} to :latest"
rollback: rollback:
name: Rollback name: Rollback
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -186,6 +201,8 @@ jobs:
cd ${{ env.DEPLOY_PATH }} cd ${{ env.DEPLOY_PATH }}
docker tag $PREVIOUS ${{ env.IMAGE }}:latest docker tag $PREVIOUS ${{ env.IMAGE }}:latest
docker compose up -d --force-recreate docker compose up -d --force-recreate
# Push rolled-back image as :latest so Watchtower doesn't re-pull broken
docker push ${{ env.IMAGE }}:latest
EOF EOF
- name: Verify rollback - name: Verify rollback
@@ -201,7 +218,7 @@ jobs:
audit: audit:
name: Audit name: Audit
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [deploy, health-check, smoke-test, rollback] needs: [deploy, health-check, smoke-test, promote, rollback]
if: always() if: always()
steps: steps:
- name: Setup SSH - name: Setup SSH