Skip to content
Latchkey

How to Verify the Deployed Version Matches the Git SHA in GitHub Actions

A deploy can report success while an old image still serves traffic, so verify a /version endpoint returns the same commit SHA the workflow built.

Bake the commit SHA into the build, expose it at /version, then in a verify step fetch that value and assert it equals github.sha before promoting.

Steps

  • Inject github.sha into the build (env var or build arg).
  • Serve it from a /version JSON endpoint.
  • After deploy, fetch /version and compare against ${{ github.sha }}.

Workflow

.github/workflows/ci.yml
- name: Verify deployed commit
  env:
    BASE: ${{ vars.DEPLOY_URL }}
    EXPECTED: ${{ github.sha }}
  run: |
    ACTUAL=$(curl -sf "$BASE/version" | jq -r .sha)
    echo "expected=$EXPECTED actual=$ACTUAL"
    if [ "$ACTUAL" != "$EXPECTED" ]; then
      echo "deployed version does not match; aborting"; exit 1
    fi

Gotchas

  • A CDN or reverse proxy may cache /version; request with a cache-busting header or Cache-Control: no-cache.
  • If the SHA does not match, do not promote; roll back to the known-good version.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →