If you’re like me, every project you work on worth anything gets put in GitHub. It’s safe and you get all the benefits of using Git. Of course those benefits include deployment hooks, if you’ve got the system setup for it. On small projects it may seem like it’s more hassle to setup deployment hooks, after all SFTP is simple enough, however it’s actually quite easy to do and only take a few minutes to setup. My use case is JonDavis.name (which is kept in a private GitHub repo) and this has made life much easier for me, even for a single-page website.
The below instructions are all based off of
markomarkovic/simple-php-git-deploy and oodavid’s gist. You can read them for more details and options or continue below for the tldr version.
- ssh to your server & navigate to your website folders
sudo mkdir /var/www/.sshsudo chown -R www-data:www-data /var/www/.ssh/sudo echo "deny from all" > /var/www/.ssh/.htaccess/sudo -Hu www-data ssh-keygen -t rsa # choose “no passphrase”sudo cat /var/www/.ssh/id_rsa.pubwget https://github.com/markomarkovic/simple-php-git-deploy/archive/master.zipunzip master.zip && rm master.zipcd ./simple-php-git-deploy-mastertouch index.htmlmv deploy-config.example.php deploy-config.phpnano deploy-config.php (or your editor of choice)- Change
define('SECRET_ACCESS_TOKEN', — to something more secure, perhaps use a strong password generator
- Change
define('REMOTE_REPOSITORY', — You must use the SSH url if its a private repository
- Save & Exit
Go to your repository on GitHub
Settings > Deploy Keys
Copy & paste the output from id_rsa.pub above
Do _not_ allow write access.
Add Key
Go to Webhooks & Services
Add Webhook
Payload URL: https://YOURDOMAIN.TLD/simple-php-git-deploy-master/deploy.php?sat=YOUR_SECRET_ACCESS_TOKEN
Content Type & Secret don’t matter (can be left blank)
Select “Just the push”
Add Webhook
At this point GitHub should test your webhook and if all was setup correctly, your most recent commit will be deployed onto your server.
Before you’re done… verify that your http://serverip/.ssh/ is not accessible.
Commit more code!
One of the important security items that I want to highlight and re-highlight is that you’re using the apache process (www-data or apache) with SSH outbound (inbound is generally disabled, so that’s not an issue). However Apache’s home directory (/var/www) is publicly accessible/readable by default, including ~/.ssh/. You need to make sure no one can read those keys (or theoretically they could go fetch your private codebase). You may need to change the Apache configs (/etc/apache2/sites-enabled/000-default.conf) to allow the “Deny from all” statement to work.
Beyond this small piece of securing your code, you’re good to go! It’s really easy to do your dev work locally, commit, and watch the changes show up in production a minute later. Since I use my portfolio site to learn new web technologies, it’s been really handy to be able to quickly iterate. So go out there and code!
