Optimize deployment flow with GHCR and pre-built images

- Build Docker images once in GitHub Actions, not on EC2
- Push multi-arch images (amd64/arm64) to GitHub Container Registry
- Reduce deployment time from 5-10 minutes to <30 seconds
- Minimize S3 usage to config files only (~few KB vs several MB)
- Update docker-compose.prod.yml to pull from GHCR instead of building
- Simplify CodeDeploy scripts to pull pre-built images
- Keep S3 bucket for minimal config delivery (appspec.yml, scripts)
- Update documentation with optimized deployment flow

Author: damione1

.github/workflows/deploy.yml

@@ -7,9 +7,12 @@ on:
 
 env:
   AWS_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 permissions:
   contents: write  # Need write permission for creating releases
+  packages: write  # Need write permission for GHCR
 
 jobs:
   test:
@@ -114,10 +117,58 @@ jobs:
           prerelease: false
           generate_release_notes: false
 
+  build-and-push:
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    needs: release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
   deploy:
     name: Deploy to AWS EC2 via CodeDeploy
     runs-on: ubuntu-latest
-    needs: release
+    needs: build-and-push
 
     steps:
       - name: Checkout code
@@ -139,16 +190,17 @@ jobs:
 
       - name: Create deployment package
         run: |
-          echo "📦 Creating deployment package..."
-
-          # Create archive excluding unnecessary files
-          zip -r deployment-${{ steps.version.outputs.version }}.zip . \
-            -x "*.git*" \
-            -x "*.terraform*" \
-            -x "pb_data/*" \
-            -x "tmp/*" \
-            -x ".air.toml" \
-            -x "*.log"
+          echo "📦 Creating minimal deployment package..."
+
+          # Only include CodeDeploy scripts and docker-compose
+          mkdir -p deploy-package
+          cp -r scripts deploy-package/
+          cp appspec.yml deploy-package/
+          cp docker-compose.prod.yml deploy-package/
+
+          cd deploy-package
+          zip -r ../deployment-${{ steps.version.outputs.version }}.zip .
+          cd ..
 
           echo "✅ Deployment package created"
 

DEPLOY.md

@@ -12,19 +12,29 @@ Elastic IP (static)
    |
    ▼
 EC2 Instance (t4g.micro - Amazon Linux 2023 ARM64)
-├── CodeDeploy Agent (automated deployment)
+├── CodeDeploy Agent (pulls config from S3)
 ├── Traefik (Port 80/443)
 │   ├── Let's Encrypt SSL
 │   └── Auto HTTPS redirect
-└── Planning Poker Container
+└── Planning Poker Container (from GHCR)
     └── /app/pb_data → /mnt/data (EBS Volume)
 ```
 
+**Deployment Flow:**
+```
+GitHub Actions (on tag push)
+   ├─→ Build Docker image → Push to GHCR (pre-built, multi-arch)
+   └─→ Upload config package to S3 → Trigger CodeDeploy
+        └─→ EC2 pulls image from GHCR → Run
+```
+
 **Key Features:**
-- ✅ **Automated Deployment**: AWS CodeDeploy with GitHub Actions
+- ✅ **Optimized Deployment**: Build once in GitHub, deploy pre-built image
+- ✅ **Fast Deploys**: No compilation on EC2, just pull and run (<30 seconds)
+- ✅ **Container Registry**: GitHub Container Registry (GHCR) for Docker images
+- ✅ **Minimal S3 Usage**: Only config files (~few KB), not application code
 - ✅ **Persistent Storage**: EBS volume for database (survives container restarts)
 - ✅ **Automatic SSL**: Traefik handles Let's Encrypt certificates
-- ✅ **Simple**: Single EC2 instance with Docker Compose
 - ✅ **Cost-Effective**: t4g.micro eligible for AWS free tier
 
 ## Prerequisites
@@ -70,13 +80,15 @@ This creates S3 buckets (Terraform state + CodeDeploy), IAM user, and policies:
 The script will:
 - Create IAM user for GitHub Actions
 - Create S3 bucket for Terraform state (with versioning and encryption)
-- Create S3 bucket for CodeDeploy deployment packages
-- Configure IAM policies (Terraform, CodeDeploy, S3)
+- Create S3 bucket for CodeDeploy config packages (minimal size - appspec.yml, docker-compose, scripts only)
+- Configure IAM policies (Terraform, CodeDeploy, S3, GHCR)
 - Generate access keys
 - Output configuration for GitHub secrets
 
 **Important**: Save the output - it contains bucket names and credentials.
 
+**Note**: The S3 bucket for CodeDeploy now only stores small config files (~few KB), not the entire application code. Docker images are built in GitHub Actions and stored in GitHub Container Registry.
+
 ### 3. Configure Terraform Backend
 
 ```bash
@@ -233,12 +245,14 @@ git push origin v0.1.11
 This will:
 1. Run tests in GitHub Actions
 2. Create a GitHub release with changelog
-3. Package application and upload to S3
-4. Create CodeDeploy deployment
-5. CodeDeploy will:
+3. Build multi-arch Docker image (amd64/arm64) and push to GHCR
+4. Package config files (appspec.yml, docker-compose.prod.yml, scripts) and upload to S3
+5. Create CodeDeploy deployment
+6. CodeDeploy will:
    - Stop running containers
-   - Deploy new code
-   - Build and start new containers
+   - Deploy new config files
+   - Pull latest image from GHCR
+   - Start new containers
    - Validate service health
 
 Monitor deployment:
@@ -255,17 +269,18 @@ ssh ec2-user@$(terraform output -raw instance_public_ip)
 # Navigate to app directory
 cd /opt/planning-poker
 
-# Pull latest changes
-sudo git pull origin main  # or git checkout v1.0.0
+# Pull latest image from GHCR
+sudo docker compose -f docker-compose.prod.yml pull app
 
-# Rebuild and restart manually
-sudo docker compose -f docker-compose.prod.yml build --no-cache
+# Restart with new image
 sudo docker compose -f docker-compose.prod.yml up -d
 
 # View logs
-sudo docker compose -f docker-compose.prod.yml logs -f
+sudo docker compose -f docker-compose.prod.yml logs -f app
 ```
 
+**Note**: The application is no longer built on the EC2 instance. Images are pre-built in GitHub Actions and stored in GitHub Container Registry (GHCR).
+
 ## Persistence & Backups
 
 **Database Location:**

docker-compose.prod.yml

@@ -25,9 +25,10 @@ services:
       - app
 
   app:
-    build: .
+    image: ghcr.io/damione1/planning-poker:latest
     container_name: planning-poker
     restart: unless-stopped
+    pull_policy: always
     volumes:
       - /mnt/data/pb_data:/app/pb_data
     environment:

scripts/codedeploy/start_application.sh

@@ -5,14 +5,21 @@ echo "=== Starting application ==="
 
 cd /opt/planning-poker
 
-# Load environment variables from Terraform (if available)
+# Load and export environment variables
 if [ -f /etc/environment ]; then
+    set -a  # automatically export all variables
     source /etc/environment
+    set +a
 fi
 
-# Build the application image
-echo "Building Docker image..."
-docker compose -f docker-compose.prod.yml build --no-cache app
+# Verify environment variables are set
+echo "Environment check:"
+echo "  DOMAIN_NAME: ${DOMAIN_NAME:-NOT SET}"
+echo "  LETS_ENCRYPT_EMAIL: ${LETS_ENCRYPT_EMAIL:-NOT SET}"
+
+# Pull latest image from GHCR
+echo "Pulling latest image from GitHub Container Registry..."
+docker compose -f docker-compose.prod.yml pull app
 
 # Start all services
 echo "Starting services..."

terraform/main.tf

@@ -286,7 +286,7 @@ resource "random_id" "codedeploy_bucket" {
   byte_length = 4
 }
 
-# S3 Bucket for CodeDeploy deployment packages
+# S3 Bucket for CodeDeploy deployment packages (configs only, not application code)
 resource "aws_s3_bucket" "codedeploy" {
   bucket = "${var.service_name}-codedeploy-${random_id.codedeploy_bucket.hex}"
 
@@ -339,7 +339,7 @@ data "aws_iam_user" "github_actions" {
   user_name = var.github_actions_user
 }
 
-# IAM policy for GitHub Actions to upload to CodeDeploy bucket
+# IAM policy for GitHub Actions to upload configs and trigger CodeDeploy
 resource "aws_iam_user_policy" "github_actions_codedeploy" {
   name = "${var.service_name}-github-actions-codedeploy-policy"
   user = data.aws_iam_user.github_actions.user_name

terraform/outputs.tf

@@ -88,6 +88,11 @@ output "backup_plan" {
 }
 
 output "codedeploy_s3_bucket" {
-  description = "S3 bucket for CodeDeploy deployment packages"
+  description = "S3 bucket for CodeDeploy config packages (minimal size)"
   value       = aws_s3_bucket.codedeploy.bucket
 }
+
+output "container_registry" {
+  description = "Container registry for Docker images"
+  value       = "ghcr.io/${var.github_repo}"
+}