Skip to content

Instantly share code, notes, and snippets.

@jochy
Last active July 23, 2024 15:03
Show Gist options
  • Save jochy/8c27a6f06ad0018f4832eca97e534fbe to your computer and use it in GitHub Desktop.
Save jochy/8c27a6f06ad0018f4832eca97e534fbe to your computer and use it in GitHub Desktop.
[Ubuntu] Deploy a docker-compose from Github Actions using SSH

1. Create SSH keypair

In order to deploy using SSH, we need a SSH keypair. Please use an algorithm strong enough and also supported by GHA and your remote host.

You can use the command below to generate a keypair:

ssh-keygen -t ed25519 -C gha@vm-YourLogin -f ~/.ssh/id_gha

For this use case, don't use a passphrase (just type Return to select an empty passphrase).

The fresh value for option -f ensures it won't overwrite an existing key file.

The value for option -C is an optional identifier that allows you to remember what the key is for (here, just for the GHA job to ssh into your vm).

This command will generate 2 files:

  • id_gha.pub : this is the public key (can be given to anyone)
  • id_gha : this is the private key.

2. Setup the remote

Log into your remote host. Create a user named gha and assign him to the docker group.

Then, execute the commands below (please, replace 〈PUBLIC_KEY〉 with the public key created previously):

sudo su
su gha
cd
mkdir -m 700 .ssh
cd .ssh
touch authorized_keys
echo "〈PUBLIC_KEY〉" >> authorized_keys
exit

3. Setup GitHub repository

Log into GitHub and go to your repository. Then, go to Settings > Secrets and variables > Actions > New repository secrets. Create a new secret and name it GHA_DEPLOY_SSH_PRIVATE_KEY, then paste the private key in the value.

4. Deploy with GitHub Actions

Use a workflow like this one to deploy with docker-compose. Please, replace 〈HOSTNAME〉 with your VM's domain name.

name: Deploy
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.GHA_DEPLOY_SSH_PRIVATE_KEY }}
          
      - name: Disable Host key verification
        # Hack to prevent "Host key verification failed". Should be replaced with a ssh-keyscan based solution
        run: echo "StrictHostKeyChecking no" >> ~/.ssh/config

      - name: Deploy
        run: docker-compose up -d
        env:
          COMPOSE_DOCKER_CLI_BUILD: 0
          DOCKER_HOST: "ssh://gha@〈HOSTNAME〉"
@Sylver747
Copy link

L'interface de github a changé pour créer les secrets => Settings > Secrets and variables > Actions > New repository secrets

@jochy
Copy link
Author

jochy commented Apr 20, 2023

J'ai mis à jour, merci pour l'information ;)

@erikmd
Copy link

erikmd commented Jul 23, 2024

Pour info @jochy, 2 versions à MàJ : actions/checkout@v4 (la v2 est dépréciée) et webfactory/[email protected] (j'ai testé, c'est ✔️👍)
Autre suggestion : pour être complètement explicite, serais-tu OK pour ajouter l'option --build ? → docker-compose up --build -d.
Dernière suggestion : je crois que ça serait encore plus standard d'ajouter chmod 600 authorized_keys après touch authorized_keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment