DEV Community: BenyaminRmb The latest articles on DEV Community by BenyaminRmb (@benyaminrmb). https://dev.to/benyaminrmb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F795383%2Fcf1915eb-6418-4243-8f25-e39de1ea8c0c.png DEV Community: BenyaminRmb https://dev.to/benyaminrmb en Stop doing the SSH + GitHub secrets dance by hand. One command does all of it. BenyaminRmb Mon, 01 Jun 2026 09:23:23 +0000 https://dev.to/benyaminrmb/stop-doing-the-ssh-github-secrets-dance-by-hand-one-command-does-all-of-it-1ln0 https://dev.to/benyaminrmb/stop-doing-the-ssh-github-secrets-dance-by-hand-one-command-does-all-of-it-1ln0 <p>You know the ritual.</p> <p>New project. New VPS. Generate keypair. SSH in. Paste into <code>authorized_keys</code>. Go to GitHub Settings. Add <code>SSH_KEY</code>. Add <code>SSH_HOST</code>. Add <code>SSH_PORT</code>. Add <code>SSH_USER</code>. Write <code>deploy.yml</code> from memory. Commit. Push. It fails because you mixed up a secret name. Fix. Push again.</p> <p>15 minutes. Every time. For the rest of your career.</p> <p>I got tired of it. So I killed it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx deploymate-cli </code></pre> </div> <p>That's it. One command. Fill in 5 fields. Done.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcuke9yr4yztaxyzo7uqs.png" alt=" "> </h2> <h2> What happens under the hood </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────┐ │ ✓ Generating RSA key pair (in memory only) │ │ ✓ Uploading public key to server │ │ ✓ Injecting GitHub secrets │ │ ✓ Committing deploy.yml │ │ │ │ └─ CI/CD is live. Every push to main deploys. │ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Every push to <code>main</code> now runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git fetch + reset <span class="nt">--hard</span> docker compose down docker compose up <span class="nt">-d</span> <span class="nt">--build</span> </code></pre> </div> <p>No agent. No dashboard. No new service to babysit. Just a GitHub Actions workflow that does exactly what it says.</p> <h2> The security bit — since you'll ask </h2> <p>The SSH password is used exactly once to bootstrap key auth. Never logged. Never stored. The private key is generated fresh, goes straight into a GitHub secret via libsodium box seal (how the API requires it), and then it's gone. After setup, your server only speaks to GitHub via the key we just installed.</p> <p>Source is all on GitHub. <code>src/services/ssh.ts</code> and <code>src/services/github.ts</code> if you want to audit — it's small.</p> <h2> This isn't Coolify </h2> <p>No UI to manage. No containers to run. No database to back up. This is for when you want <code>git push</code> to deploy on a $6 VPS and you don't want to think about it again.</p> <p>Small scope. Does one thing. Does it well.</p> <p>→ <a href="https://github.com/Benyaminrmb/deploymate" rel="noopener noreferrer">github.com/Benyaminrmb/deploymate</a><br> → <a href="https://www.npmjs.com/package/deploymate-cli" rel="noopener noreferrer">npmjs.com/package/deploymate-cli</a></p> <p>PRs welcome. Issues too — I actually read them.</p> devops docker githubactions opensource