Why does my GitHub repository fail to deploy to EC2 via CI/CD?

Deploying a GitHub repository to an EC2 instance via CI/CD can sometimes fail for a variety of reasons. In this post, I’ll walk through common pitfalls and how to fix them.

1️⃣ Initial Setup

• Goal: Deploy the DevOps repo from GitHub to an EC2 instance automatically via GitHub Actions when a tag is pushed.

• EC2: t3.micro, public IP 18.209.17.223, Security Group allowed SSH only from your IP.

• Workflow: .github/workflows/deploy.yml using appleboy/ssh-action@v1.0.3.

• Private key: DevOps.pem (AWS key pair).

2️⃣ Workflow YAML issues

Problem

My initial YAML looked like this:

script: cd /usr/share/nginx/html/DevOps
git pull origin main
sudo systemctl reload nginx

• Only cd was being sent to SSH

• git pull and systemctl were outside script

• Result: nothing executed, confusing logs.

Fix

Correct YAML formatting:

script: |
  set -e
  cd /usr/share/nginx/html/DevOps
  git fetch origin
  git checkout main
  git pull origin main
  sudo systemctl reload nginx

• Multiline | ensures all commands run in one SSH session.

• Added set -e to stop on error.

3️⃣ Commit / Tag confusion

Problem

git tag v1.0.0
git push origin v1.0.0
fatal: tag 'v1.0.0' already exists

• I tried to push a tag that already existed.

• GitHub Actions triggers deploy only on tag push.

Fix

• Use new tag:

git tag v1.0.1
git push origin v1.0.1

• Workflow triggered properly.

4️⃣ SSH Key Issues

• You had ~/.ssh/DevOps.pem (private key) but were unsure how to configure GitHub Secrets.

• Ensured the key was:

  • Added as GitHub Secret EC2_SSH_KEY
  • Permissions on local machine: chmod 600 DevOps.pem

• Verified key works locally:
  
  

ssh -i ~/.ssh/DevOps.pem ec2-user@18.209.17.223

5️⃣ First real error on deployment

GitHub Actions log:

dial tcp ***:22: i/o timeout

• This is not YAML or SSH key error.

• Cause: GitHub Actions runner could not reach EC2 on port 22.

• EC2 Security Group only allowed your IP, blocking all GitHub runners.

6️⃣ Security Group / Networking Fix

• Observed EC2 security group:

Inbound rules:
  SSH (22) → 106.51.87.228/32
  HTTP (80) → 0.0.0.0/0

• Only my IP was allowed → GitHub Actions cannot SSH → timeout.

Fix

1. Edit Security Group sg-0b901d4d95ca4555f → Inbound rules

2. Add:

Type	Protocol	Port	Source
SSH	TCP	22	0.0.0.0/0

• Verified EC2 still accessible locally

• After this, GitHub Actions runners can reach port 22.

7️⃣ Successful Deployment

• Push new tag:

git tag v1.0.3
git push origin v1.0.3

• GitHub Actions triggered Deploy via SSH

• Script executed successfully:
  

cd /usr/share/nginx/html/DevOps
git fetch origin
git checkout main
git pull origin main
sudo systemctl reload nginx

• Nginx reloaded

• Deployment complete ✅

8️⃣ Lessons Learned / Best Practices

1. YAML formatting matters

• Multi-line scripts must use | under script.

1. Private key setup

• Add .pem as GitHub Secret

• Local key permissions: chmod 600

• Public key on EC2

1. Security Groups

• GitHub runners have dynamic IPs → port 22 must be open to 0.0.0.0/0 for now.

• Can be secured later using bastion or AWS SSM.

1. Tag-based deploys

• Workflow triggers on tag push, not commit

• Avoid reusing tags

1. i/o timeout ≠ SSH key issue

• Always check networking / firewall first

1. Idempotent deploys

• Commands use git fetch + checkout + pull

• set -e prevents partial deployment