Git Deploy (CI/CD)
Automated CI/CD pipeline with GitHub webhook integration, preview environments, build logs, deploy history, and rollback support.
Git Deploy (CI/CD)
Git Deploy provides a full CI/CD pipeline that builds and deploys your application automatically when you push to GitHub. It supports production builds, preview environments for pull requests, deploy history with rollback, and real-time build logs.
How It Works
GitHub Push/PR → Webhook → OneLift API → Worker Queue → SSH → Server
↓
git clone → docker build → lift deploy
- GitHub sends a webhook on push or pull request events
- OneLift verifies the HMAC-SHA256 signature and enqueues a build job
- Worker clones the repo, detects the build method, and builds a Docker image
- Lift CLI deploys the image with zero-downtime swap via fire-and-forget pattern
- Deploy history records every build with status, duration, and commit info
Setup
1. Configure in the Dashboard
Navigate to Project > Deployments > Git Deploy tab:
- Enter your GitHub repository URL
- Set the branch to track (default:
main) - Provide a GitHub personal access token (for private repos)
- Choose build method:
dockerfile,compose, ornixpacks(auto-detect) - Optionally configure build resource limits (memory, CPUs)
2. Add the Webhook to GitHub
After saving the configuration, the dashboard shows a webhook URL and secret:
- Go to GitHub > Repository > Settings > Webhooks > Add webhook
- Paste the Payload URL from the dashboard
- Set Content type to
application/json - Paste the Secret from the dashboard
- Select events: Pushes and Pull requests
- Click Add webhook
3. Push and Deploy
Push to your configured branch — the build starts automatically.
git push origin main
The build log dialog opens in real-time in the dashboard showing:
- Phases: Cloning → Building → Deploying → Health Check
- Live log output streamed via Centrifugo
- Elapsed time counter
- Auto-closes after 3 seconds on success
Preview Environments
When a pull request is opened or updated, Git Deploy automatically creates an isolated preview environment.
Features
- Automatic creation on PR open/reopen/synchronize events
- Automatic cleanup on PR close/merge
- Isolated containers with half of production resource limits
- Unique URLs using sslip.io wildcard DNS:
http://pr-{N}.{IP}.sslip.io - GitHub PR comments with preview URL, commit info, and status
- Configurable limits: max previews (1-10), auto-close hours (1-720)
- Stale preview cleanup via scheduled background job
Configuration
In the Git Deploy settings tab:
| Setting | Description | Default |
|---|---|---|
| Preview Enabled | Enable preview environments for PRs | false |
| Max Previews | Maximum concurrent preview environments | 3 |
| Auto-Close Hours | Automatically close previews after N hours | 72 |
Deploy History
Every build (production, preview, rollback) is recorded in the deploy history with:
- Status: building, deploying, success, failed, rolled_back
- Timing: build duration, deploy duration
- Git info: branch, commit hash, commit message, author
- Type: push (manual), webhook (automatic), rollback
Viewing History
Navigate to Project > Deployments > History tab to see all deployments with:
- Status badges with color coding
- Build and deploy duration
- Commit info with short hash
- Error details for failed builds (expandable)
- Compare view between two deployments (via GitHub API)
Rollback
Roll back to any previous successful deployment:
- Go to Deploy History tab
- Find a successful deployment
- Click Rollback and confirm
- The previous Docker image is redeployed (no rebuild needed)
Rollback reuses the existing Docker image tag, so it is near-instant.
Build Methods
Git Deploy auto-detects the build method by checking for these files (in order):
| Priority | File | Method |
|---|---|---|
| 1 | compose.yml / docker-compose.yml | compose |
| 2 | Dockerfile | dockerfile |
| 3 | (fallback) | nixpacks |
You can override auto-detection in the Git Deploy settings.
Security
- Webhook signatures verified with HMAC-SHA256 and
crypto.timingSafeEqual() - GitHub tokens encrypted via Infisical (never stored in plaintext)
- Token stripped from
.git/configafter clone/fetch operations - Temp files (config, token) cleaned up in
finallyblocks - Rate limiting: 10 webhook requests per minute per configuration
- PR number validation: integer-only to prevent path injection
Troubleshooting
Build fails with "Dockerfile not found"
Ensure your repository has a Dockerfile in the root directory, or configure the build method to nixpacks for automatic buildpack detection.
Preview URL not accessible
Preview environments use HTTP (not HTTPS) on sslip.io wildcard DNS. Ensure your browser is not forcing HTTPS. The URL format is http://pr-{N}.{IP-dashed}.sslip.io.
Webhook not triggering
- Check GitHub webhook delivery logs (Settings > Webhooks > Recent Deliveries)
- Verify the webhook secret matches exactly
- Ensure the correct events are selected (Pushes and Pull requests)
- Check that the branch matches the configured tracking branch
Related
- Production Deploy - Manual production deployments
- Preview Deploy - CLI-based preview deployments
- Zero-Downtime - Zero-downtime deployment strategy
- lift push - CLI push command