If you’re like me, every project you work on worth anything gets put in GitHub. It’s safe and you get all the benefits of using Git. Of course those benefits include deployment hooks, if you’ve got the system setup for it. On small projects it may seem like it’s more hassle to setup deployment hooks, after all SFTP is simple enough, however it’s actually quite easy to do and only take a few minutes to setup. My use case is JonDavis.name (which is kept in a private GitHub repo) and this has made life much easier for me, even for a single-page website.
The below instructions are all based off of
markomarkovic/simple-php-git-deploy and oodavid’s gist. You can read them for more details and options or continue below for the tldr version.
- ssh to your server & navigate to your website folders
sudo mkdir /var/www/.ssh
sudo chown -R www-data:www-data /var/www/.ssh/
sudo echo "deny from all" > /var/www/.ssh/.htaccess/
sudo -Hu www-data ssh-keygen -t rsa
# choose “no passphrase”sudo cat /var/www/.ssh/id_rsa.pub
wget https://github.com/markomarkovic/simple-php-git-deploy/archive/master.zip
unzip master.zip && rm master.zip
cd ./simple-php-git-deploy-master
touch index.html
mv deploy-config.example.php deploy-config.php
nano deploy-config.php
(or your editor of choice)- Change
define('SECRET_ACCESS_TOKEN',
— to something more secure, perhaps use a strong password generator - Change
define('REMOTE_REPOSITORY',
— You must use the SSH url if its a private repository - Save & Exit
One of the important security items that I want to highlight and re-highlight is that you’re using the apache process (www-data or apache) with SSH outbound (inbound is generally disabled, so that’s not an issue). However Apache’s home directory (/var/www) is publicly accessible/readable by default, including ~/.ssh/. You need to make sure no one can read those keys (or theoretically they could go fetch your private codebase). You may need to change the Apache configs (/etc/apache2/sites-enabled/000-default.conf) to allow the “Deny from all” statement to work.
Beyond this small piece of securing your code, you’re good to go! It’s really easy to do your dev work locally, commit, and watch the changes show up in production a minute later. Since I use my portfolio site to learn new web technologies, it’s been really handy to be able to quickly iterate. So go out there and code!