How to Verify the Deployed Version Matches the Git SHA in GitHub Actions
A deploy can report success while an old image still serves traffic, so verify a /version endpoint returns the same commit SHA the workflow built.
Bake the commit SHA into the build, expose it at /version, then in a verify step fetch that value and assert it equals github.sha before promoting.
Steps
- Inject
github.shainto the build (env var or build arg). - Serve it from a
/versionJSON endpoint. - After deploy, fetch
/versionand compare against${{ github.sha }}.
Workflow
.github/workflows/ci.yml
- name: Verify deployed commit
env:
BASE: ${{ vars.DEPLOY_URL }}
EXPECTED: ${{ github.sha }}
run: |
ACTUAL=$(curl -sf "$BASE/version" | jq -r .sha)
echo "expected=$EXPECTED actual=$ACTUAL"
if [ "$ACTUAL" != "$EXPECTED" ]; then
echo "deployed version does not match; aborting"; exit 1
fiGotchas
- A CDN or reverse proxy may cache
/version; request with a cache-busting header orCache-Control: no-cache. - If the SHA does not match, do not promote; roll back to the known-good version.
Related guides
How to Verify Database Migrations Applied After Deploy in GitHub ActionsVerify that database migrations actually applied after a deploy in GitHub Actions by checking the migration t…
How to Verify a CDN Cache Was Purged After Deploy in GitHub ActionsVerify a CDN cache purge took effect after a deploy in GitHub Actions by checking cache headers and asset has…