Blog: CI/CD Detail
Level 3 (Detail) — GitHub Actions publication pipeline.
Concept
The CI pipeline builds the Hugo site, packages it in an Nginx Docker image, and pushes to Docker Hub. It runs on every push to master.
Workflow
File: .github/workflows/publish.yml
name: Publish Blog
on:
push:
branches:
- master
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: recursive
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: "roberto.tazzoli@gmail.com"
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: |
tazzo/tazlab-blog:latest
tazzo/tazlab-blog:blog-${{ github.run_number }}-${{ github.sha }}
Steps in Detail
- Checkout: Uses
actions/checkout@v4withsubmodules: recursiveto also fetch the Blowfish theme - Login: Authenticates to Docker Hub using username
roberto.tazzoli@gmail.comandDOCKER_PASSWORDsecret - Build and push: Docker builds using the repository’s
Dockerfileand pushes two tags
Tags
| Tag | Type | Example | Purpose |
|---|---|---|---|
latest | Mutable | tazzo/tazlab-blog:latest | Always the most recent build |
blog-<N>-<sha> | Immutable | tazzo/tazlab-blog:blog-47-a1b2c3d | Specific build, used by Flux image automation |
The run_number is GitHub’s monotonically increasing counter. The sha is the full commit hash.
Delivery Chain
Git push → GitHub Action → Docker Hub → Flux ImageRepository (poll 1m) → ImagePolicy (numerical:asc) → ImageUpdateAutomation (commit) → Kustomization reconcile → Deployment rollout
Manual Publish Script
File: scripts/publish.sh
An alternative Kaniko-based publish script for use inside the TazPod container. Builds and pushes the blog Docker image without requiring Docker-in-Docker, using Kaniko for image building.
See Also
- Topic: Publication Pipeline
- Cluster: Image Automation Detail
- Hub: blog-src