GitHub Actions
Trigger a dockmesh redeploy from a GitHub Actions workflow — useful when your Compose file or application image is updated in your repo.
Authentication
Section titled “Authentication”Create an API token in dockmesh:
Settings → API tokens → New token
- Name:
github-actions - Role: A custom role with
stacks.deploy+stacks.readscoped to the target stacks (don’t give it Admin) - Expiration: 90 days or longer (rotate periodically)
Copy the token. Save it as a GitHub secret named DOCKMESH_TOKEN.
Also save your dockmesh URL as DOCKMESH_URL (e.g. https://dockmesh.example.com).
Workflow
Section titled “Workflow”.github/workflows/deploy.yml:
name: Deploy to dockmesh
on: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Trigger dockmesh deploy env: URL: ${{ secrets.DOCKMESH_URL }} TOKEN: ${{ secrets.DOCKMESH_TOKEN }} run: | curl -fsSL -X POST \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ "$URL/api/v1/stacks/analytics/deploy" \ | tee deploy.json
- name: Wait for deploy env: URL: ${{ secrets.DOCKMESH_URL }} TOKEN: ${{ secrets.DOCKMESH_TOKEN }} run: | deploy_id=$(jq -r .id deploy.json) for i in $(seq 1 60); do status=$(curl -fsSL -H "Authorization: Bearer $TOKEN" \ "$URL/api/v1/deploys/$deploy_id" | jq -r .status) echo "[$i] Status: $status" case "$status" in success) exit 0 ;; failed) exit 1 ;; esac sleep 2 done echo "Timeout waiting for deploy" exit 1Patterns
Section titled “Patterns”Build image, push, redeploy
Section titled “Build image, push, redeploy”- uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@v5 with: context: . push: true tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Update stack tag and redeploy run: | curl -X PATCH -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"image_tag\":\"${{ github.sha }}\"}" \ "$URL/api/v1/stacks/analytics/image-tag" curl -X POST -H "Authorization: Bearer $TOKEN" \ "$URL/api/v1/stacks/analytics/deploy"Deploy only on tagged releases
Section titled “Deploy only on tagged releases”on: push: tags: ['v*']Manual approval gate
Section titled “Manual approval gate”environment: name: production url: ${{ secrets.DOCKMESH_URL }}Requires a reviewer to approve before the job proceeds. Configure reviewers in the repo’s environment settings.
Rolling back
Section titled “Rolling back”If a deploy fails, the stack is auto-rolled back by dockmesh. The GitHub Action job fails with the dockmesh error in logs.
For manual rollback after a successful but bad deploy:
- name: Rollback run: | curl -X POST -H "Authorization: Bearer $TOKEN" \ "$URL/api/v1/stacks/analytics/rollback"Rollback reverts to the previous image tag + compose revision.
Security notes
Section titled “Security notes”- Scope the dockmesh API token as narrowly as possible
- Rotate the token every 90 days (set expiration)
- Use repository environments to restrict which branches/tags can deploy
- Consider IP allowlisting on the dockmesh side — GitHub-hosted runners have known IP ranges you can trust
See also
Section titled “See also”- API Overview — full API reference
- RBAC — creating narrow roles for tokens
- Audit Log — API token actions are logged