Blog: CI/CD Detail

Level 3 (Detail) — GitHub Actions publication pipeline.

Concept

The CI pipeline builds the Hugo site, packages it in an Nginx Docker image, and pushes to Docker Hub. It runs on every push to master.

Workflow

File: .github/workflows/publish.yml

name: Publish Blog

on:
  push:
    branches:
      - master

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: "roberto.tazzoli@gmail.com"
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: |
            tazzo/tazlab-blog:latest
            tazzo/tazlab-blog:blog-${{ github.run_number }}-${{ github.sha }}

Steps in Detail

  1. Checkout: Uses actions/checkout@v4 with submodules: recursive to also fetch the Blowfish theme
  2. Login: Authenticates to Docker Hub using username roberto.tazzoli@gmail.com and DOCKER_PASSWORD secret
  3. Build and push: Docker builds using the repository’s Dockerfile and pushes two tags

Tags

TagTypeExamplePurpose
latestMutabletazzo/tazlab-blog:latestAlways the most recent build
blog-<N>-<sha>Immutabletazzo/tazlab-blog:blog-47-a1b2c3dSpecific build, used by Flux image automation

The run_number is GitHub’s monotonically increasing counter. The sha is the full commit hash.

Delivery Chain

Git push → GitHub Action → Docker Hub → Flux ImageRepository (poll 1m) → ImagePolicy (numerical:asc) → ImageUpdateAutomation (commit) → Kustomization reconcile → Deployment rollout

Manual Publish Script

File: scripts/publish.sh

An alternative Kaniko-based publish script for use inside the TazPod container. Builds and pushes the blog Docker image without requiring Docker-in-Docker, using Kaniko for image building.

See Also