Skip to content

Run deployment verification on pull requests #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BeforeLights merged 1 commit into from
May 7, 2026
Merged

Run deployment verification on pull requests #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions .github/workflows/deploy-lightsail.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,14 @@
name: Deploy Lightsail

on:
pull_request:
branches:
- main
push:
branches:
- main
workflow_dispatch:

concurrency:
group: lightsail-production
cancel-in-progress: false

jobs:
verify:
name: Verify
Expand Down Expand Up @@ -50,7 +49,11 @@ jobs:
name: Deploy
runs-on: ubuntu-latest
needs: verify
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
environment: production
concurrency:
group: lightsail-production
cancel-in-progress: false
Comment on lines +52 to +56
Copy link
Copy Markdown

@qodo-code-review qodo-code-review Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Deploys unverified main head 🐞 Bug ≡ Correctness

The deploy SSH script resets the server to origin/main rather than deploying the workflow’s
triggering commit SHA, so queued/overlapping runs can deploy a different (later) commit than the one
verified. This breaks the verify→deploy guarantee and can ship untested code to production.
Agent Prompt 
### Issue description
The deploy step deploys `origin/main` (current HEAD) instead of the commit that the workflow verified, so production can receive code that was never linted/tested/built by that run.

### Issue Context
The `deploy` job is serialized via `concurrency`, which means it can run after additional commits land on `main`. The remote script currently does `git reset --hard origin/main`, which deploys the latest main at execution time.

### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[48-76]

### Suggested fix
- Pass the triggering SHA into the deploy script (e.g., env `COMMIT_SHA: ${{ github.sha }}`), and on the server:
  - `git fetch origin $COMMIT_SHA`
  - `git reset --hard $COMMIT_SHA`
- Optionally, also consider `cancel-in-progress: true` for the deploy concurrency group if the desired behavior is to only deploy the latest push.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


steps:
- name: Deploy over SSH
Expand Down
Loading