Skip to content

ci: stamp builds with git SHA + /api/public/version for deploy verification#537

Merged
Zheaoli merged 1 commit into
mainfrom
ci-build-sha-version
Jun 12, 2026
Merged

ci: stamp builds with git SHA + /api/public/version for deploy verification#537
Zheaoli merged 1 commit into
mainfrom
ci-build-sha-version

Conversation

@Zheaoli

@Zheaoli Zheaoli commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Why

Several recent rounds were lost to not knowing what was actually deployed — a manual build run before the latest commit was pushed, a stale :latest pull, and the #534-vs-#535 mixup. The only way to tell what was live was hand-inspecting rendered DOM classes. This makes the deployed commit verifiable at a glance.

What

  • build-main workflow: resolve the short commit SHA, pass it as a BUILD_SHA build-arg, and tag the pushed image :git-<sha> alongside :latest (so the image is identifiable by commit, not just latest).
  • Dockerfile: accept ARG BUILD_SHA (default unknown) and set it as a runtime env in the runner stage.
  • GET /api/public/version (hono public route): returns { "code": 200, "data": { "sha": "<commit>" } }.

Usage

After a deploy:

curl -s https://photos.manjusaka.me/api/public/version
# { "data": { "sha": "b880071..." }, ... }

Compare to the branch HEAD you intended to ship — if they differ, the deploy didn't take (rebuild/repull) before spending time debugging behaviour.

Scope

  • Independent of any feature work (workflow + Dockerfile + one new public route). No app behaviour change. Local/dev builds without the arg report "unknown".
  • Public, unauthenticated, no sensitive data (just the commit short SHA, which is already public on GitHub).

@Zheaoli @claude
ci: stamp builds with their git SHA and expose it for deploy verifica…
6215508 
…tion

Deploys repeatedly drifted from the branch HEAD (a manual build run before
the latest commit, a stale `:latest` pull, the #534-vs-#535 mixup), and the
only way to tell what was actually live was to hand-inspect rendered DOM
classes. Make the deployed commit verifiable at a glance.

- build-main: pass the short commit SHA as a `BUILD_SHA` build-arg and also
  tag the pushed image `:git-<sha>` alongside `:latest`, so the image is
  identifiable by commit.
- Dockerfile: accept `BUILD_SHA` (default `unknown`) and set it as a runtime
  env in the runner stage.
- Add GET /api/public/version returning `{ sha }` (the build's commit) so a
  running deploy can be checked with `curl /api/public/version` — it should
  report the commit you expect — instead of guessing whether `:latest` is the
  branch HEAD.

Local/dev builds without the arg report "unknown". No app behaviour change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
picimpact Ready Ready Preview, Comment Jun 12, 2026 2:31pm

@Zheaoli Zheaoli merged commit 21bd6e6 into main Jun 12, 2026
6 checks passed
@Zheaoli Zheaoli deleted the ci-build-sha-version branch June 12, 2026 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zheaoli