Article 3: Docker + GitHub Actions

#docker #githubactions #cicd #devops

Automating the Docker build of my portfolio with GitHub Actions, publishing to Docker Hub, and seamless redeployment on Kubernetes.

Automating the build and push of a Node.js app

In this third step, I tackle the containerization of my Next.js application (personal portfolio), and the creation of a CI/CD pipeline to automate the Docker image build, its push to Docker Hub, and the automatic redeployment to Kubernetes.

CI/CD: Building the Docker image

The goal is to:

Produce a lightweight, optimized Docker image
Automatically publish it to Docker Hub
Restart the deployment on the cluster with zero downtime

Everything is defined in a GitHub Actions pipeline located in the application repository, under .github/workflows/deploy.yml.

Building the Docker image

Here is the Dockerfile used:

# Step 1: Base image for build and run
FROM node:23-alpine AS base
WORKDIR /app
ENV NEXT_TELEMETRY_DISABLED=1

# Step 2: Install dependencies
FROM base AS deps
COPY package.json package-lock.json ./
RUN npm ci

# Step 3: Build and fetch Dev.to articles securely
FROM base AS builder
COPY --from=deps /app/node_modules ./node_modules
COPY . .

ENV NEXT_PUBLIC_URL=https://woulf.fr
ENV NEXT_PUBLIC_EMAIL=corentinboucardpro@gmail.com

# Secure token injection via BuildKit
RUN --mount=type=secret,id=devto_token \\
  DEVTO_API_KEY=\$(cat /run/secrets/devto_token) node scripts/fetchDevtoArticles.js && npm run build

# Step 4: Final runtime image
FROM base AS runner
ENV NODE_ENV=production
ENV PORT=3000

# Create non-root user
RUN addgroup -S nodejs -g 1001 && \\
    adduser -S nextjs -u 1001 -G nodejs && \\
    mkdir .next && chown nextjs:nodejs .next

WORKDIR /app

COPY --from=builder /app/public ./public
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

USER nextjs
EXPOSE 3000
CMD ["node", "server.js"]

🧠 Notes on the Dockerfile:

Multi-stage build: separates base, dependencies, build, and runtime phases results in a clean and minimal image.
Alpine base (node:23-alpine): lightweight, fast to pull, smaller attack surface (more secure).
Copying package*.json first: leverages Docker cache when dependencies don’t change → drastically speeds up builds.
Using npm ci: ensures a clean install based on package-lock.json without re-resolving versions.
Secure token injection via BuildKit: avoids exposing secrets in the image or logs. Token is available only during the build.
Dev.to article fetching during build: keeps content updated without committing it to the repo.
Non-root user (nextjs): improves runtime security.
Copying only required folders (.next/standalone, .next/static): recommended by Next.js for Docker deployments.
EXPOSE 3000: informative for docs and some tools.

🔐 Result: a lightweight, secure, fast-to-build Docker image ready for production.

Pipeline in the application repository

The deploy.yml pipeline contains two jobs:

Build & push the image
Redeploy to the Kubernetes cluster

name: Deploy Website

on:
  push:
    branches:
      - main

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: \${{ secrets.DOCKER_USERNAME }}
          password: \${{ secrets.DOCKER_PASSWORD }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: woulf/portfolio:latest
          secrets: |
            "devto_token=\${{ secrets.DEVTO_TOKEN }}"

  rollout_k8s:
    runs-on: ubuntu-latest
    needs: docker
    steps:
      - name: Set up Kubernetes context
        uses: azure/k8s-set-context@v3
        with:
          kubeconfig: \${{ secrets.KUBECONFIG }}

      - name: Restart Deployment
        run: |
          kubectl rollout restart deployment/portfolio -n default
          kubectl rollout status deployment/portfolio -n default

🧠 Notes on the pipeline:

Auto-trigger on push to main: deploys automatically on merge, great for rolling releases.
Modular workflow: two isolated jobs (docker, rollout_k8s) for clarity and maintainability.
Official Docker action with BuildKit: handles cache, secrets, multi-platform builds.
Secrets via secrets.*: no credentials in code, tokens injected at build time only.
--mount=type=secret: ensures temporary use of secrets without exposing them in the final image.
Pushes to Docker Hub (woulf/portfolio:latest): versioned and publicly accessible.
Kubernetes redeploy with zero downtime: kubectl rollout restart updates the pod smoothly.
Deployment status check: prevents continuing if deployment fails.
needs: docker: guarantees the image is pushed before attempting redeploy.

🔄 Result: a robust, fully automated CI/CD pipeline that updates content, rebuilds your Docker image, and redeploys to Kubernetes, all from a single push.

Secret management

No credentials are hardcoded. Everything is securely stored via GitHub Secrets:

DOCKER_USERNAME / DOCKER_PASSWORD → for Docker Hub
KUBECONFIG → to connect to the MicroK8s cluster remotely
DEVTO_TOKEN → to fetch Dev.to articles automatically during build

Result

✅ On every push:

Dev.to articles are fetched
Docker image is rebuilt and pushed
App is redeployed with no interruption

💡 Next steps:

Add Trivy scan
Add a HEALTHCHECK
Reduce production dependencies

➡️ In the next article, I’ll explain how I versioned the Kubernetes infrastructure in a separate repository and set up a GitOps pipeline to keep the cluster in sync.