Full CI/CD with Docker + GitHub Actions + DigitalOcean (Droplets + Container Registry)

Nowadays, CI/CD became an essential part when developing software. It can save tons of money, time and reduce risks… In this article, I will show you how did I set up CI/CD for my personal blog with free services.

If you are not familiar with any services, check their definitions:

Firstly, have a look at this workflow.

Workflow

  1. Every time we push a new commit to GitHub, it will start processing GitHub Actions workflow.
  2. GitHub Actions will build a Docker image in its runner and push that image to Container Registry.
  3. GitHub Actions then will connect to Droplets and deploy the image from Container Registry to that Droplets.

Let’s see how to set up this workflow.

Add Actions secrets

There are some secret variables that you need to use in the GitHub Action workflow.yml file, so it should be better if they are encrypted by storing them in Github Secrets.

You can go to repository Settings → Secrets → Actions, then click New repository secret.

GitHub Secrets

There are some variables we need:

  • DIGITALOCEAN_ACCESS_TOKEN: A token that you have generated to access the DigitalOcean API.
    From DigitalOcean dashboard → API → Token/keys → Generate New Token (Remember to check both Read and Write permission)
  • HOST: your ssh host (Droplets ipv4)
  • PASSPHRASE: to encrypt the private key, generated when you create ssh keys for Droplets.
  • SSHKEY: the content of ssh private key. ex raw content of ~/.ssh/id_rsa
  • USERNAME: ssh username, default: root

Now we have enough secret variables to use in our CI/CD workflow file.

Create a workflow YAML file

  • Create a directory called .github/workflows in the repository directory.
  • In that directory, create a new file called build-and-deploy.yml and add the following code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: CI

# 1
# Controls when the workflow will run
on:
# Triggers the workflow on push events but only for the master branch
push:
branches: [ master ]

# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
version:
description: 'Image version'
required: true
#2
env:
REGISTRY: "your-digitalocean-registry-container-url"
IMAGE_NAME: "your-docker-image-name"

#3
jobs:
build_and_push:
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v2

- name: Build container image
run: docker build -t $(echo $REGISTRY)/$(echo $IMAGE_NAME):$(echo $GITHUB_SHA | head -c7) .

- name: Install doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

- name: Log in to DigitalOcean Container Registry with short-lived credentials
run: doctl registry login --expiry-seconds 600

- name: Remove all old images
run: if [ ! -z "$(doctl registry repository list | grep "$(echo $IMAGE_NAME)")" ]; then doctl registry repository delete-manifest $(echo $IMAGE_NAME) $(doctl registry repository list-tags $(echo $IMAGE_NAME) | grep -o "sha.*") --force; else echo "No repository"; fi

- name: Push image to DigitalOcean Container Registry
run: docker push $(echo $REGISTRY)/$(echo $IMAGE_NAME):$(echo $GITHUB_SHA | head -c7)

deploy:
runs-on: ubuntu-latest
needs: build_and_push

steps:
- name: Deploy to Digital Ocean droplet via SSH action
uses: appleboy/ssh-action@v0.1.3
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USERNAME }}
key: ${{ secrets.SSHKEY }}
passphrase: ${{ secrets.PASSPHRASE }}
envs: IMAGE_NAME,REGISTRY,{{ secrets.DIGITALOCEAN_ACCESS_TOKEN }},GITHUB_SHA
script: |
# Login to registry
docker login -u ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} -p ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} registry.digitalocean.com
# Stop running container
docker stop $(echo $IMAGE_NAME)
# Remove old container
docker rm $(echo $IMAGE_NAME)
# Run a new container from a new image
docker run -d \
--restart always \
--name $(echo $IMAGE_NAME) \
$(echo $REGISTRY)/$(echo $IMAGE_NAME):$(echo $GITHUB_SHA | head -c7)
  1. Controlling when the workflow will run: In this case, every time we have a push in the master branch.
  2. Define some environment variables that don’t need to be encrypted.
    • IMAGE_NAME: your Docker image name
    • REGISTRY: your DigitalOcean Registry Container URL

Registry Container URL

  1. We have 2 jobs here: run build_and_push then after it finishes, run deploy.

Running jobs

Some things need to be noted in the YAML files:

  • Because DigitalOcean Container Registry only has 500MB for the free plan, so we should remove all old images after we build and push the new image.
  • When deploying, it is better to stop running the container, remove it then run the new image (will pull it from DigitalOcean Container Registry).