SW-1254: log image SHA on deploy for traceability#696
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds end-to-end deploy traceability by baking the build commit SHA into the Docker image and exposing it at runtime (boot log + /healthcheck/) so operators can quickly correlate a running container with a specific commit/PR.
Changes:
- Inject
GIT_SHAat Docker build time (DockerfileARG/ENV) and pass it from GitHub Actions viadocker/build-push-action. - Extend app config (
build.gitSha) sourced fromprocess.env.GIT_SHAwith a default of"unknown". - Log the SHA on startup and include it in
/healthcheck/response; update the integration test accordingly.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
test/integration/routes/healthcheck.test.ts |
Updates expected /healthcheck/ response to include gitSha. |
src/server.ts |
Adds structured boot log fields including gitSha. |
src/routes/healthcheck.ts |
Includes gitSha in /healthcheck/ JSON response. |
src/config/envs/default.ts |
Adds build.gitSha default config sourced from process.env.GIT_SHA. |
src/config/app-config.interface.ts |
Extends AppConfig with build.gitSha. |
Dockerfile |
Bakes GIT_SHA into the runtime image environment. |
.github/workflows/docker-publish.yml |
Passes GIT_SHA=${{ github.sha }} as a Docker build-arg. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SW-1254 — Deploy → SHA → PR traceability (backend)
Part of SW-1254. After the 2026-04-23 incident, identifying which code was running in production at a given moment took hours of cross-referencing. This change makes the backend self-report the commit it was built from.
What changed
DockerfileacceptsARG GIT_SHAand exposes it asENV GIT_SHA; the Docker build workflow passesbuild-args: GIT_SHA=${{ github.sha }}. Local builds default tounknown.build.gitShaconfig field (interface +default.ts), read fromprocess.env.GIT_SHA.logger.info({ event: 'app_boot', gitSha, appEnv, port }, …). Container stdout already flows to theswprod-log-analyticsworkspace, so this is queryable with no new infra — filterContainerAppConsoleLogs_CLonapp_bootto see what SHA was running at any time./healthcheck/now returnsgitShaalongsidemessage, so "what's running right now" needs no log query. Updated the one integration test that pinned the exact response body.Companion PRs
statswales-frontend— same boot-log pattern across publisher & consumer.statswales-terraform— SHA in the Azure DevOps run name + runbook lookup steps.Verification
npm run checkpasses (lint, build, 1714 tests). Local bake check:docker build --build-arg GIT_SHA=test123 -t sw-be:t .then hit/healthcheck/→{"message":"success","gitSha":"test123"}. End-to-end (ADO run name + KQL lookup) confirms once a build reaches prod.