Reusable GitHub Actions for Shipstuff repos.
Upload built artifacts to a Shipstuff DigitalOcean edge host over SSH. The
source can be a static asset directory, release directory, or single binary
file, so app repos can publish artifacts without making the edge run builds.
The server-side public key should be installed by servertimeai as an
app-scoped restricted deploy key that only allows rsync server mode through the
dedicated app-deploy SSH listener.
- uses: shipstuff/actions/digital-ocean-upload@main
with:
ssh-private-key: ${{ secrets.EDGE_KEY }}
edge-user: ${{ env.EDGE_USER }}
source-path: ${{ env.SOURCE_PATH }}
# Optional. Defaults to false.
delete: "true"Use the same secret name, EDGE_KEY, in every app repo. The secret value must be
app-specific and match only that app's restricted edge deploy public key.
edge-host defaults to shipstuff.fun. edge-port defaults to 2230, the
dedicated app-deploy SSH listener managed by servertimeai; it is intentionally
separate from admin SSH on port 22. edge-path defaults to
/var/www/html/<edge-user>/, which is the normal per-app web root created by
the cloud playbook. Most app repos only need to pass EDGE_KEY, edge-user,
and source-path.
Only override edge-host, edge-port, or edge-path when publishing to a
non-standard edge, non-standard deploy listener, or non-standard app web root:
with:
edge-host: staging.shipstuff.fun
edge-port: "2230"
edge-path: /var/www/html/custom-path/delete: "true" passes --delete to rsync, which removes remote files that no
longer exist locally. Use it when the remote path is a fully generated artifact
directory owned by this deploy, especially hashed frontend builds, so stale
files do not accumulate or keep serving old code.
Leave delete as "false" for binary uploads, mixed publish directories,
operator-managed files, user-generated content, or any destination that this
deploy does not exclusively own. The action rejects delete: "true" for
single-file uploads because --delete is meaningful for directory syncs, not
one-off artifact uploads.
Production backend deploys should wait for the edge watcher to process the activation marker. Without this wait, CI can report success after uploading the marker even if the watcher later fails staging or production health checks.
- uses: shipstuff/actions/digital-ocean-upload@main
with:
ssh-private-key: ${{ secrets.EDGE_KEY }}
edge-user: brushscore
source-path: .deploy-marker
edge-path: /home/brushscore/deploy-queue/
delete: "false"
wait-for-marker: "true"
marker-name: ${{ github.sha }}.jsonThe wait uses the same restricted rsync-only key to list
deploy-queue/processed/ and deploy-queue/failed/. It does not require shell
access on the edge host. The action succeeds only when the marker appears in
processed/; it fails if the marker appears in failed/ or if the wait times
out.