-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always deploy the correct Docker image version (tag) #813
Comments
I agree with the synopsis, there are some edge case here that could catch us out. The like the idea of using the true Thinking further, we could use Wondering if we might be able to find a solution with GHA outputs... https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs |
I think we need to use reusable workflow outputs: https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-outputs-from-a-reusable-workflow |
Depends on: hypothesis/workflows#6 Fixes: #813
Depends on: hypothesis/workflows#6 Fixes: #813
The
deploy.yml
workflow always deploys thelatest
image from Docker Hub, rather than the image corresponding to the workflow run's Git commit.Details
The
deploy.yml
workflow calls the shareddockerhub.yml
workflow.dockerhub.yml
generates a version number Docker tag:You can see the generated tags on Hypothesis's Docker Hub account. The tag names contain the date (
YYYYMMDD
) followed by the letterg
followed by the first few characters of the Git commit SHA. For example:20221013-g3604296
. (The date is the date of the Git commit, not the date when the Docker image was built, so if you rebuild the Docker image from the same Git commit it should get the same date again.)The
deploy.yml
caller workflow then deploys the app to its QA and production environments using the hard-coded Docker taglatest
. For example this is thedeploy.yml
job for the production public Via - notice theVersion: latest
:via/.github/workflows/deploy.yml
Lines 49 to 59 in 3604296
Why is this a problem?
In most cases the Docker image for the
deploy.yml
workflow run's Git commit will be the same thing as thelatest
image and all will be well: the workflow run just built the image for its commit and published it to Docker Hub so that image is now the latest. But I think the workflow could deploy the wrong version of the Docker image to QA and/or production in various edge cases. For example:Developer A merges pull request A, triggering
deploy.yml
workflow run AWorkflow run A runs the tests, builds Docker image A, and publishes the image to Docker Hub. At this point the
latest
image on Docker Hub is image AWorkflow run A deploys the
latest
image to QA and then stops and waits for approval. Developer A starts testing PR A on QAMeanwhile another developer merges pull request B, triggering
deploy.yml
workflow run BWorkflow run B runs the tests, builds Docker image B, and publishes the image to Docker Hub. At this point the
latest
image on Docker Hub is image BDeveloper A finishes testing PR A on QA and approves the PR to be deployed to production
Workflow run A now continues and deploys the
latest
Docker image to production.latest
is Docker image B, not A, so the wrong image has been deployed. B hasn't been tested on QA yet but is now deployed to production.GitHub's various UIs relating to workflows/deployments/environments will display that commit A has been deployed to production, whereas in fact B was.
I believe there are other cases where the wrong commit might be deployed as well. For example:
deploy.yml
workflow for an old commit. This is something that the GitHub UI lets you do. It'll deploy thelatest
image, not the image for the commit whose workflow you just ran. But GitHub will think you deployed the old commit's imagelatest
image from Docker Hub, and they might not always be the same thinglatest
image will be the one for the previous commitSolution
Instead of
Version: latest
all the QA and production deployment jobs indeploy.yml
need to sayVersion: ${{ docker_tag }}
where${{ docker_tag }}
is the20221013-g3604296
. Unfortunately this tag name is generated in the shareddockerhub.yml
workflow not in thedeploy.yml
workflow, so we're going to have to find a way to pass it back.The text was updated successfully, but these errors were encountered: