Section 2 · DevOps / Deploy
GitHub Actions CI/CD — Automatic Deploy with 368 Tests in 2 Minutes
workflow_dispatch, rsync, atomic symlink, health-check. 10 categories of tests at each push. 0 downtime, TTFB ≤200ms, instant rollback.
Three Pillars of CI/CD in GitHub CMS
Every component automated and checked by tests
workflow_dispatch
Manual deploy launch via GitHub Actions UI. You control: dry_run (verification) or DEPLOY (to production). No build reaches VPS without confirmation. Protection from accidental deploy.
368 tests
10 categories: content, pixinlink, markdown, utils, SEO, security, performance, accessibility, integration, RSS. Each build — full verification. Error → build is blocked.
Symlink + health-check
rsync → releases/ → ln -sfn → current/. Atomically in 0.1 sec. Then curl checks /, /healthz, /sitemap.xml. On error — Telegram notification and auto-block.
CI/CD in Numbers: 2026
Data from GitHub Actions, nginx and OWASP
Full cycle
push → production
Tests
10 categories
Downtime
symlink deploy
Builds/mo
on platform
Before and After GitHub Actions CI/CD
What changes when moving from manual FTP to automatic deploy
BEFORE
FTP-upload — 20-40 minutes
Manual file upload via FileZilla. Downtime 5-15 minutes during updates. Errors are found in production.
0 tests at deploy
No validation of content, JSON-LD, sitemap, secrets. Broken content reaches the site and breaks SEO.
No rollback on error
Recovery from backup takes 15-30 minutes. Downtime. Loss of traffic and search rankings.
Security: holes in plugins
WordPress-plugins without automatic checks vulnerabilities. Data leaks, SQL Injections.
AFTER
workflow_dispatch → 2 minutes
One-click launch. npm ci + build + rsync + symlink + health-check. 0 downtime. 10-20× faster.
368 tests at each build
10 categories: content, SEO, JSON-LD, security, performance. Build is blocked on any error — production always clean.
Instant rollback — 0.1 sec
releases/ stores 10 versions. ln -sfn → rollback. No downtime, no traffic loss.
Security: verification 500+ patterns
check:dist-secrets scans tokens, keys, passwords. 0 leaks in production. CSP + HSTS on level nginx.
Every Push Triggers 368 Tests — Production Never Breaks
10 categories of tests launch at npm run build. Validation of content, SEO files, JSON-LD, secrets, performance. Build with error is blocked — site always stable.
GitHub Actions Deploy Architecture
Two Jobs + Five Key Mechanisms
Job: validate-build
Checkout → Node.js 20 → npm ci → validate:deploy-env → validate:content → npm audit → npm run build → validate:seo-files → check:dist-secrets → Upload artifact. 28 seconds for 56 pages.
Job: deploy (needs: validate-build)
Download artifact → validate:deploy-env → Configure SSH → rsync → symlink → health-check. Only at dry_run=false and confirm_deploy=DEPLOY. 15 seconds rsync + checks.
Secrets
Server address, username, SSH key — encrypted. Not in code.
Environment protection
production environment — only manual launch. Protection from auto-deploy.
Concurrency control
group: production-deploy. Simultaneously only one deploy — no race conditions.
10 Test Categories — What Gets Checked on Every Build
npm run build launches a cascade of checks. Each test category is independent and covers its own aspect: from Frontmatter validation to scanning the build for secrets. The build is blocked at the first error.
Frontmatter validation
JSON-LD, sitemap, robots
500+ patterns tokens
TTFB, Core Web Vitals
Reviews: GitHub Actions CI/CD in Real Projects
Results of implementing automatic deploy
«Set up deploy.yml in 15 minutes. 368 tests caught 3 errors in content before production. Symlink delivers 0 downtime — clients don't notice updates. Before, FTP took 25 minutes with downtime.»
Alexey K.
CEO B2B-platform
«check:dist-secrets saved us — found a leaked API key in content before deploy. Telegram notification on health-check error. 180 pages, consistently 2-minute deploy. 10× faster than WordPress.»
Marina S.
Tech Director, EdTech
«Switched from Vercel to our own VPS + GitHub Actions. 368 tests vs 0 on Vercel. symlink-rollback for 0.1 sec vs redeploy 3 minutes. No vendor lock-in. $6//mo DigitalOcean vs $20//mo Pro.»
Dmitry V.
DevOps, FinTech
How Deploy Works: 3 Steps
From git push to production — 2 minutes
git push → npm run build
You push changes. GitHub Actions: npm ci → npm run build with 368 tests. 56 pages, 60 seconds. Validation of content, SEO, JSON-LD, secrets.
rsync + symlink
rsync -az --delete dist/ → releases/20260511-1500/. ln -sfn switches current/ for 0.1 sec. nginx instantly sees new version. 0 downtime.
Health-check → Telegram
curl --fail checks /, /healthz, /sitemap.xml. HTTPS-validation. On success — site updated. On error — Telegram notification, symlink rolls back to the previous version.
10 Test Categories — Detailed Breakdown
What exactly is checked on every npm run build
1 · content (10 tests)
YAML Frontmatter validation: title (≤70 characters), slug, date (YYYY-MM-DD), schema_type (from list), tags (array, not string). Duplicate @block markers. Secret keys in frontmatter.
2 · pixinlink (3 testand)
Image URL generation check. Validation of link format, style parameters (minimal, artistic). API key doesn't leak into build.
3 · markdown (5 tests)
Markdown rendering to HTML. Sanitize-html: allowed tags and attributes. Detection of XSS vectors. Raw_html flag check.
4 · utils (4 testand)
Slug generation, URL validation, SEO utilities. Check absolute URLs, redirects, canonical links.
5 · SEO (12 tests)
Validation of JSON-LD (Schema.org), robots.txt, sitemap.xml. OG tags, canonical URL, meta descriptions. 12 checks in 2 seconds.
6 · security (500+ patterns)
Scanning dist/ for secret markers: API keys, tokens, passwords. VITE_*, SECRET_, PRIVATE_KEY. Build is blocked on match.
7 · performance (3 testand)
TTFB ≤200ms, size pages ≤500KB, gzip-compression enabled. Core Web Vitals: LCP ≤2.5s, CLS ≤0.1.
8-10 · a11y, integration, RSS
Accessibility (a11y): alt-texts, ARIA-markers. Integration: e2e-tests build. RSS: valid XML, 11 articles.
Guarantee: Build Won't Pass with Errors
368 tests · 10 categories · 500+ patterns secrets
Every npm run build launches the full set of tests. Validation of content, SEO files, JSON-LD, sitemap, secrets. Build with any error is blocked — deploy won't start. WordPress doesn't deliver this level of guarantee.
FAQ on GitHub Actions CI/CD
Frequently asked questions about automatic deploy setup
How to configure GitHub Actions for GitHub CMS deploy?
The repo already has .github/workflows/deploy.yml. Add secrets in Settings → Secrets and variables → Actions: server address, username, SSH key. Set vars: SITE_URL, DEPLOY_PATH. Launch workflow_dispatch with dry_run=false and confirm_deploy=DEPLOY. First deploy — 2 minutes.
Why is deploy manual (workflow_dispatch) and not automatic?
Production protection. workflow_dispatch requires confirm_deploy=DEPLOY — an accidental push won't deploy the site. Automatic deploy to production via push is dangerous: typos in content, broken JSON-LD. First verification (dry_run), then deploy. Security is more important than speed.
What secrets are needed for deploy?
Three secrets: server address (IP or domain), username (SSH user on VPS), SSH key (private key for access). Two vars: SITE_URL (https://site.ru), DEPLOY_PATH (/var/www/site). ALL secrets encrypted by GitHub and not visible in logs.
How do 10 categories of tests work at build?
npm run build launches sequentially: generate:content → build:section-content → vite-ssg build → generate:seo-files → inject:seo → generate:rss. At each stage — its own checks. Plus separate npm run test:content, test:seo, test:security, etc. Summary: about 368 tests in 70 seconds.
How to roll back deploy if health-check fails?
releases/ stores 10 previous versions. If curl --fail on /healthz returns an error — symlink rolls back to the previous version automatically. Or manually via SSH: ln -sfn releases/20260510-1800 current. Rollback in 0.1 sec, 0 downtime.
Can you deploy to multiple VPS via one workflow?
Yes. Add multiple rsync steps in deploy.yml: for VPS1, VPS2, etc. Or use a CDN (Cloudflare) in front of nginx. Static HTML caches perfectly on edge. Concurrency control guarantees that two deploys won't start simultaneously.
How is GitHub Actions better than other CI/CD (Jenkins, GitLab)?
GitHub Actions: free for public repositories, built into GitHub, doesn't require a separate server. Jenkins: needs its own server, complex setup. GitLab CI: needs a GitLab account. For static sites, GitHub Actions is the optimal choice: 200M+ builds/mo on the platform.
How to monitor deploy and receive notifications?
GitHub Actions: built-in logs for each job. Health-check at deploy checks /, /healthz, /sitemap.xml. On error — Telegram notification via bot. Plus: GitHub Mobile — push notifications about deploy status. Prometheus + Grafana for long-term VPS monitoring.
deploy.yml Structure — What's Inside
deploy.yml consists of two jobs: validate-build (28 sec) and deploy (15 sec). Validation → build → rsync → symlink → health-check. Environment protection: production, only workflow_dispatch. Concurrency: group production-deploy — no race conditions.
Article from Section 2: DevOps / Deploy. Created using prompt template article-3.txt (GLASS / HOME-5 style). GitHub Actions CI/CD — automatic deploy with 368 tests.