DEV Community: Benedict Ell Nino The latest articles on DEV Community by Benedict Ell Nino (@ninoslat1). https://dev.to/ninoslat1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2149545%2Fb54604f5-40e3-4cb0-80e3-35c94914716f.png DEV Community: Benedict Ell Nino https://dev.to/ninoslat1 en Implement Simple CI/CD with GitHub Actions Benedict Ell Nino Tue, 02 Dec 2025 07:01:59 +0000 https://dev.to/ninoslat1/implement-simple-cicd-with-github-actions-3bnb https://dev.to/ninoslat1/implement-simple-cicd-with-github-actions-3bnb <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6re2at1kgpni21v9n45j.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6re2at1kgpni21v9n45j.jpg" alt="Container Ship by" width="800" height="533"></a></p> <p>Container Ship by <a href="https://unsplash.com/photos/blue-and-red-cargo-ship-on-sea-during-daytime-jOqJbvo1P9g?utm_source=63921&amp;utm_medium=referral" rel="noopener noreferrer">Ian Taylor</a></p> <p>As a software engineer working in a small company where IT is mostly seen as a cost center, I’ve been trying to keep our deployment process simple: small docker images, secure steps, and ideally… zero cost.</p> <p>Yesterday, i watch a YouTube video showing that even private repositories can be cloned, meaning every secret in <code>.env</code> <code>yml,</code> or docker compose files could be exposed if we’re not careful.</p> <p>That made me reflect on my own (simple) CI/CD setup, so today I’d like to share a small CI/CD workflow I’ve been using for deploying .NET apps to an on-premise server—nothing fancy. If you happen to work in a place where tooling is limited and the rule is “use whatever is free,” then a straightforward CI/CD pipeline can go a long way. It keeps deployments clean and your service running smoothly.</p> <p><strong>Disclaimer:</strong></p> <p>This CI/CD configuration is provided as a reference based on my deployment environment.</p> <p>Server configurations may vary, so you might need to adjust directory paths, environment variables, or service names to make it work in your setup.</p> <h2> Local Development (Very Simple) </h2> <p>Just add some .env configuration in <code>appsettings.json</code> and run it like usual day.</p> <h2> Preparing Docker for Deployment </h2> <h3> Docker Setup </h3> <p>First, create a Dockerfile for both the local deployment and server deployment. Here is the example of multistage build for .NET Web API (<strong>I set DOTNET_SYSTEM_GLOBALIZATION_INVARIANT to false, because there is time zone settings for the project</strong>). This Dockerfile give us:</p> <ul> <li>Relatively small image</li> <li>Self-contained executable</li> </ul> <p>P.S: I am currently learning about the NativeAOT feature to trim the image into a smaller size, but I’m still researching whether it fits my use case. That’s why I use the basic multistage build for now.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">mcr.microsoft.com/dotnet/sdk:9.0-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">publish</span> <span class="k">WORKDIR</span><span class="s"> /src</span> <span class="k">COPY</span><span class="s"> your_project.csproj ./</span> <span class="k">RUN </span>dotnet restore <span class="s2">"./your_project.csproj"</span> <span class="nt">--runtime</span> linux-musl-x64 <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>dotnet publish <span class="s2">"your_project.csproj"</span> <span class="se">\ </span> <span class="nt">-c</span> Release <span class="se">\ </span> <span class="nt">-o</span> /app/publish <span class="se">\ </span> <span class="nt">--no-restore</span> <span class="se">\ </span> <span class="nt">--runtime</span> linux-musl-x64 <span class="se">\ </span> <span class="nt">--self-contained</span> <span class="nb">true</span> <span class="se">\ </span> /p:PublishSingleFile<span class="o">=</span><span class="nb">true</span> <span class="k">FROM</span><span class="w"> </span><span class="s">mcr.microsoft.com/dotnet/runtime-deps:9.0-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">final</span> <span class="k">ENV</span><span class="s"> DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> icu-libs <span class="k">ENV</span><span class="s"> LD_LIBRARY_PATH=/usr/lib</span> <span class="k">RUN </span>apk upgrade musl <span class="k">RUN </span>adduser <span class="nt">--disabled-password</span> <span class="se">\ </span> <span class="nt">--home</span> /app <span class="se">\ </span> <span class="nt">--gecos</span> <span class="s1">''</span> dotnetuser <span class="o">&amp;&amp;</span> <span class="nb">chown</span> <span class="nt">-R</span> dotnetuser /app <span class="k">USER</span><span class="s"> dotnetuser</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=publish /app/publish .</span> <span class="k">ENTRYPOINT</span><span class="s"> ["./your_project"]</span> </code></pre> </div> <p>Second, create a docker compose for the local development and put all the <code>.env</code>configuration on the environment section.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">project_name</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hardware_port1:container_port1</span> <span class="pi">-</span> <span class="s">hardware_port2:container_port2</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ASPNETCORE_ENVIRONMENT=Production</span> <span class="pi">-</span> <span class="s">ASPNETCORE_URLS=http://+:container_port1;http://+:container_port2</span> <span class="pi">-</span> <span class="s">MYSQL_CONNECTION=server=localhost;port=3306;userid=root;password=your_password;database=your_database</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">project_name</span> <span class="na">extra_hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">host.docker.internal:host-gateway"</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">project_name</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">project_name_network</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <p>Then try to dockerize it with<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nt">-f</span> docker-compose.Development.yml up <span class="nt">-d</span> <span class="nt">--build</span> </code></pre> </div> <p>If it works, add the development docker-compose file and <code>appsettings.json</code> to <code>.gitignore</code> to prevent them from being pushed to the repository, and also add <code>appsettings.json</code> to <code>.dockerignore</code> (since all envs are already in the docker compose for local deployment).</p> <h2> Deploying to Server via GitHub Actions </h2> <h3> GitHub Action Setup </h3> <p>If the local deployment works, the next step is setting up environment variables as GitHub Actions Secrets for the server deployment.</p> <p>You can find it in:</p> <p>⚙ <strong>Settings</strong> → <strong>Security</strong> → <strong>Secrets and Variables</strong> → <strong>Actions</strong> → <strong>New repository secret</strong></p> <p>Copy-paste all environment variables from the local docker compose file into the Actions secrets.</p> <p>(<strong>Remember: keep the same namespace for easier setup.</strong>)</p> <p>Also, don’t forget to prepare your SSH private key, host (the VPS IP address), and username for SSH access.</p> <p>After setting up the repository secrets, create a separate docker-compose file for server deployment. Copy the local one and replace all environment values using the secret namespaces.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">project_name</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hardware_port1:container_port1</span> <span class="pi">-</span> <span class="s">hardware_port2:container_port2</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ASPNETCORE_ENVIRONMENT=${ASPNETCORE_ENVIRONMENT}</span> <span class="pi">-</span> <span class="s">ASPNETCORE_URLS=${ASPNETCORE_URLS}</span> <span class="pi">-</span> <span class="s">MYSQL_CONNECTION=${MYSQL_CONNECTION}</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">project_name</span> <span class="na">extra_hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">host.docker.internal:host-gateway"</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">project_name</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">project_name_network</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <p>Next, create a YAML workflow inside the <code>.github/workflows</code> directory. It will automatically run when you push to the <code>master</code> branch.</p> <p>The reason why I am not using Docker Hub in this pipeline is because it requires additional credentials that I would need to store in GitHub Secrets. Since my company only has one main server, a registry isn’t necessary for this setup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t your_project:latest .</span> <span class="s">docker save your_project:latest -o your_project.tar</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create .env file from secrets</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cat &gt; .env &lt;&lt; EOF</span> <span class="s">ASPNETCORE_ENVIRONMENT=${ASPNETCORE_ENVIRONMENT}</span> <span class="s">ASPNETCORE_URLS=${ASPNETCORE_URLS}</span> <span class="s">MYSQL_CONNECTION=${MYSQL_CONNECTION}</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Copy files to server</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">appleboy/scp-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_HOST }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_USERNAME }}</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_PRIVATE_KEYS }}</span> <span class="na">source</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your_project.tar,docker-compose.yml,.env"</span> <span class="na">target</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/tmp/deploy_your_project"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy with Docker Compose</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">appleboy/ssh-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_HOST }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_USERNAME }}</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ secrets.SSH_PRIVATE_KEYS }}</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Create app directory if not exists</span> <span class="s">mkdir -p ~/apps/your_project</span> <span class="s"># Move uploaded files into project directory</span> <span class="s">mv /tmp/deploy_your_project/docker-compose.yml ~/apps/your_project/</span> <span class="s">mv /tmp/deploy_your_project/.env ~/apps/your_project/</span> <span class="s"># Load docker image</span> <span class="s">docker load -i /tmp/deploy_your_project/your_project.tar</span> <span class="s"># Move tar file into project directory (optional)</span> <span class="s">mv /tmp/deploy_your_project/your_project.tar ~/apps/your_project/</span> <span class="s"># Deploy</span> <span class="s">cd ~/apps/your_project</span> <span class="s">docker compose down</span> <span class="s">docker compose up -d</span> <span class="s"># Clean temp folder</span> <span class="s">rm -rf /tmp/deploy_your_project</span> </code></pre> </div> <p>This YML worfklow process is:</p> <ol> <li>Build the Docker image</li> <li>Save it as a <code>.tar</code> file</li> <li>Generate the <code>.env</code> file from repository secrets</li> <li>Upload everything via SCP</li> <li>SSH into the server</li> <li>Load the Docker image</li> <li>Create a temporary directory for the deployment process</li> <li>Stop (if running) and start the docker container</li> <li>Remove the temporary directory</li> </ol> <h2> Key Improvements </h2> <p>There are also a couple of small tweaks that I found while working on this simple CI/CD setup.</p> <ul> <li>Optimize the Docker image size by using a minimal Alpine base image and optionally leveraging .NET NativeAOT for trimming the final binary.</li> <li>Improve security and build reproducibility by pinning base images using SHA256 digests (e.g., FROM alpine:3.19@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS stage_name )</li> <li>Add a healthcheck to the docker-compose file to ensure the service is actually running before marking it healthy.</li> </ul> <h2> Conclusion </h2> <p>I’ve been wearing “multiple hats” here, so I built a CI/CD pipeline that stays simple: no registry, no cloud services, and definitely no extra cost. Just GitHub Actions, Docker, and a good old SSH deployment to an on-prem server. </p> <p>Thanks for reading — I hope this setup helps anyone who is still doing manual SSH, git clone, and build steps on the server. If this workflow inspires you, then the article has done its job.</p> cicd dotnet docker