Why does my Docker build work locally but fail in GitHub Actions?

Your local Docker setup probably has different layer caching, different architecture (ARM vs x86), or you're relying on files that aren't in your git repo. Common culprits: - Missing `.dockerignore` (includes `.git` and kills the build) - Hard-coded paths that work on macOS but break on Linux - Dependency on local environment variables - Multi-platform build issues (M1 Mac vs Intel runners) Copy this to fix 90% of cases: ```bash docker build --platform linux/amd64 -t my-app . ```

My ECS task keeps dying with exit code 1. How do I figure out what's wrong?

ECS error messages are useless on purpose. Check CloudWatch logs first: ```bash aws logs describe-log-groups --log-group-name-prefix \"/ecs/\" aws logs get-log-events --log-group-name \"/ecs/my-app\" --log-stream-name \"ecs/my-app/task-id\" ``` Common causes: - **Port mismatch**: App listens on 3000, task definition expects 80 - **Missing environment variables**: `process.env.DATABASE_URL` is undefined - **Wrong working directory**: App expects files in `/usr/src/app`, Dockerfile uses `/app` - **Permission issues**: Running as root locally, restricted in container

How do I stop GitHub Actions from eating my wallet?

Your builds are probably inefficient. First things to fix: 1. **Add Docker layer caching** (saves 5-10 minutes per build) 2. **Use `npm ci` instead of `npm install`** (faster, predictable) 3. **Don't rebuild unchanged dependencies** (structure your Dockerfile properly) 4. **Cache node_modules** in GitHub Actions Here's a build that doesn't suck: ```yaml - uses: actions/cache@v3 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} ```

My app works but users can't reach it. What's wrong with the networking?

AWS networking is designed to make you suffer. Check these in order: 1. **Security groups**: ECS task needs outbound rules for internet access 2. **Load balancer target groups**: Health check path must exist (`/health`) 3. **Subnet routing**: Public subnets for ALB, private for ECS tasks 4. **NAT Gateway**: Private subnets need internet access for outbound calls Quick health check endpoint that actually works: ```javascript app.get('/health', (req, res) => { res.status(200).json({ status: 'ok', timestamp: new Date().toISOString() }); }); ```

Database migrations keep breaking my deployments. What's the right way?

Don't run migrations in your app container. Ever. Create a separate task definition for migrations: ```bash aws ecs run-task \ --cluster my-cluster \ --task-definition migration-task \ --wait \ --query 'tasks[0].lastStatus' ``` If migration fails, your deployment fails. If migration succeeds, then deploy the app. Takes longer but saves you from the "app is up but database is fucked" scenario.

Why is my AWS bill $400 when I thought ECS was cheap?

You probably have: - **50 old ECR images** at $0.10/GB each (set up lifecycle policies) - **Load balancer running 24/7** ($16/month whether you use it or not) - **Fargate compute for oversized containers** (1GB RAM when you need 256MB) - **Cross-AZ data transfer charges** (put everything in one AZ for dev) - **CloudWatch Logs retention** set to "never expire" (change to 30 days) Use [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to find what's actually costing money.

How do I deploy to staging and production without manual steps?

Set up GitHub Environments with different approval rules: ```yaml jobs: deploy-staging: environment: staging if: github.ref == 'refs/heads/main' # Auto-deploys on push to main deploy-production: environment: production if: github.ref == 'refs/heads/main' needs: deploy-staging # Requires manual approval ``` Staging deploys automatically. Production requires someone to click "Approve" in GitHub. Don't skip the approval step unless you want to debug production issues at 2am.

My deployment succeeds but the app returns 500 errors. How do I debug this?

ECS doesn't care if your app works, just if the container runs. Check application logs in CloudWatch: ```bash # Get the latest log stream aws logs describe-log-streams --log-group-name \"/ecs/my-app\" --order-by LastEventTime --descending --max-items 1 # Read the logs aws logs get-log-events --log-group-name \"/ecs/my-app\" --log-stream-name \"stream-name\" ``` Common issues: - **Wrong environment variables**: `NODE_ENV=production` but config expects `NODE_ENV=prod` - **Database connection failures**: Wrong security group, wrong connection string - **Missing dependencies**: Production build stripped dev dependencies your app actually needs - **File system permissions**: Can't write to `/tmp` or read config files

Can I use this setup for a side project or is it overkill?

It's probably overkill. For side projects, consider: - **Render.com**: $7/month, connects to GitHub, just works - **Railway**: Similar to Render, good free tier - **Vercel/Netlify**: For static sites and serverless - **Fly.io**: More control, reasonable pricing Only use ECS if you need: - **Fine-grained control** over container orchestration - **Integration with other AWS services** - **Complex networking requirements** - **Experience with production-grade deployments** For a basic web app, ECS is like using a freight truck to deliver pizza.

Currently viewing the AI version

Switch to human version

GitHub Actions + Docker + AWS ECS CI/CD: AI-Optimized Technical Reference

Configuration Requirements

Docker Configuration That Actually Works

FROM node:18-alpine
WORKDIR /app

# Copy package files first for better caching
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force

# Copy app source
COPY . .

# Don't run as root
USER node
EXPOSE 3000
CMD ["npm", "start"]

Critical Docker Requirements:

Multi-stage builds reduce image size from 1.5GB to 200MB but introduce dependency breakage
npm ci --only=production breaks builds requiring TypeScript or build tools
.dockerignore is mandatory - without it, images reach 2GB including node_modules, .git
Multi-platform builds required: docker build --platform linux/amd64

ECS Task Definition Requirements

{
  "family": "my-app",
  "networkMode": "awsvpc",
  "requiresCompatibilities": ["FARGATE"],
  "cpu": "256",
  "memory": "512",
  "executionRoleArn": "arn:aws:iam::account:role/ecsTaskExecutionRole",
  "containerDefinitions": [{
    "name": "my-app",
    "image": "account.dkr.ecr.region.amazonaws.com/my-app:latest",
    "portMappings": [{"containerPort": 3000}],
    "environment": [
      {"name": "PORT", "value": "3000"}
    ],
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "/ecs/my-app",
        "awslogs-region": "us-east-1",
        "awslogs-stream-prefix": "ecs"
      }
    }
  }]
}

Critical ECS Specifications:

CPU units: 256-4096 (AWS engineers hate round numbers)
Memory: Must be specific combinations or ECS fails
Environment variables must be strings, not numbers
Health check endpoint is mandatory: /health

GitHub Actions OIDC Setup

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    
    steps:
    - uses: actions/checkout@v4
    
    - name: Configure AWS
      uses: aws-actions/configure-aws-credentials@v4
      with:
        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
        role-session-name: GitHubActions
        aws-region: us-east-1

OIDC Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::ACCOUNT:oidc-provider/token.actions.githubusercontent.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
      },
      "StringLike": {
        "token.actions.githubusercontent.com:sub": "repo:username/repo:*"
      }
    }
  }]
}

Resource Requirements and Costs

Time Investment

Week 1: Docker builds locally, dependency conflicts
Week 2: GitHub Actions ECR integration, OIDC debugging
Week 3: ECS task execution, security group issues
Week 4: Health check configuration, environment variables
Week 5: Production deployment, database migration integration
Week 6: Monitoring setup, false alarm resolution

Total Implementation Time: 6 weeks minimum

Cost Breakdown

GitHub Actions: $0.008/minute - inefficient builds cost $100+/month
ECR: $0.10/GB/month - 50 old images = $60/month without lifecycle policies
Fargate: $0.04048/vCPU/hour - small app (0.25 vCPU) = $7.20/month
Load Balancer: $16/month constant cost
CloudWatch Logs: Free with 30-day retention, expensive with indefinite retention

Expertise Requirements

Docker: Multi-stage builds, layer caching, platform differences
AWS Networking: Security groups, subnets, NAT gateways
ECS: Task definitions, service configuration, deployment strategies
GitHub Actions: YAML syntax, OIDC setup, secret management

Critical Warnings and Failure Modes

Docker Build Failures

Symptom: Builds work locally, fail in CI
Root Causes:

Different architectures (ARM vs x86)
Missing .dockerignore
Hard-coded paths breaking on Linux
Dependency on local environment variables

Solution: Use --platform linux/amd64, proper .dockerignore

ECS Task Death (Exit Code 1)

Most Common Causes:

Port mismatch: App listens on 3000, task definition expects 80
Missing environment variables: DATABASE_URL undefined
Wrong working directory: App expects /usr/src/app, Dockerfile uses /app
Permission issues: Running as root locally, restricted in container

Debugging: Check CloudWatch logs, not ECS console messages

Networking Failures

Symptoms: App runs but users can't reach it
Check Order:

Security groups - ECS task needs outbound internet rules
Load balancer target groups - health check path must exist
Subnet routing - public subnets for ALB, private for ECS
NAT Gateway - private subnets need internet for outbound calls

GitHub Actions Cost Explosions

Root Causes:

No Docker layer caching (default disabled)
Using npm install instead of npm ci
Rebuilding unchanged dependencies
No node_modules caching

Build Time Reduction: 45 minutes → 3 minutes with proper caching

Database Migration Disasters

Anti-Pattern: Running migrations in app container
Consequence: "App is up but database is broken" scenarios
Solution: Separate migration task definition, run before app deployment

Decision Support Matrix

Deployment Strategies

Strategy	AWS Claims	Reality	Failure Mode	Recommendation
Rolling	"Gradual replacement"	Half traffic hits new code immediately	Health checks fail, ECS kills everything	Use unless you're Netflix
Blue-Green	"Zero downtime"	Costs 2x for 10 minutes, works perfectly	Database migrations break everything	Skip unless handling money
Canary	"Risk mitigation"	More config time than deploy time	5% users get broken experience	Only with dedicated DevOps team
Recreate	"Simple strategy"	Site down 3 minutes	Users notice, support tickets	Never use in production

Alternative Platforms

Platform	Cost	Complexity	Best For
ECS	$100+/month	High	Fine-grained control, AWS integration
Render	$7/month	Low	Side projects, "just works"
Railway	Good free tier	Low	Similar to Render
Fly.io	Moderate	Medium	Balance of control and simplicity

Recommendation: Only use ECS if you need production-grade orchestration or AWS service integration

Implementation Checklist

Initial Setup

Create ECR repository with lifecycle policies
Set up Fargate cluster (not EC2)
Configure OIDC provider and IAM role
Create task definition with proper resource limits

Docker Optimization

Multi-stage build structure
Proper .dockerignore file
Platform-specific builds
Node.js memory limits: --max-old-space-size=400

GitHub Actions Configuration

OIDC authentication (no AWS keys in repo)
Docker layer caching enabled
Node modules caching
Parallel build steps where possible

Monitoring and Alerting

Health check endpoint: GET /health
CloudWatch alarms: task count, CPU, memory, error rate
Log retention set to 30 days
Cost monitoring enabled

Security Hardening

Run containers as non-root user
Security groups properly configured
No secrets in environment variables
Regular base image updates

Breaking Points and Thresholds

Performance Limits

UI breaks at 1000+ spans: Makes debugging large distributed transactions impossible
Build timeout: 6 hours GitHub Actions limit with inefficient Docker builds
Memory limits: Node.js will consume all available RAM without --max-old-space-size
Health check failures: 30-second restart loop if endpoint doesn't respond

Cost Thresholds

$100/month: Reasonable for production workload
$400/month: Usually indicates misconfiguration (old images, oversized containers)
10 deploys/day: $3.60 per deploy with inefficient builds

Scaling Considerations

Fargate vs EC2: 3x cost premium for Fargate worth it for mental health
Single AZ vs Multi-AZ: Cross-AZ data transfer charges add up quickly
Auto-scaling thresholds: CPU >80%, Memory >85% trigger scaling

Common Misconceptions

"ECS is like Docker Compose": ECS networking is quantum physics-level complex
"Fargate is expensive": Mental health cost of EC2 debugging exceeds price difference
"Health checks are optional": Without them, ECS restarts containers every 30 seconds
"GitHub Actions is cheap": Inefficient builds cost $100+/month
"Multi-stage builds always help": They introduce dependency management complexity

Success Criteria

Working System Indicators

Deploy to main triggers automatic build and deployment
Health checks pass consistently
Application logs visible in CloudWatch
No manual server access required
Rollback capability through ECS service updates

Performance Benchmarks

Build time: <5 minutes after first run
Deployment time: <10 minutes end-to-end
Zero downtime: Rolling deployments work without service interruption
Cost predictability: Monthly AWS bill variance <20%

Useful Links for Further Investigation

Resources That Actually Help (When Things Go Wrong)

Link	Description
GitHub Actions ECS deployment issues	Find real problems and real solutions for GitHub Actions and Amazon ECS deployment issues on Stack Overflow.
Docker build failures in CI	Explore solutions for Docker build failures in CI environments, including platform differences and layer caching issues.
ECS task keeps stopping	Troubleshoot Amazon ECS tasks that keep stopping, focusing on exit code debugging and health check configurations.
AWS IAM OIDC permission denied	Address AWS IAM OIDC permission denied errors by troubleshooting trust policy configurations and OpenID Connect setups.
aws-actions/configure-aws-credentials issues	Review common OIDC setup problems and solutions related to the aws-actions/configure-aws-credentials GitHub action.
aws-actions/amazon-ecs-deploy-task-definition issues	Investigate deployment failures and known issues for the aws-actions/amazon-ecs-deploy-task-definition GitHub action.
Docker build failures	Examine reported Docker build failures, including platform compatibility and caching issues, for the build-push-action.
OIDC with AWS setup	Official documentation for configuring OpenID Connect in Amazon Web Services for GitHub Actions, essential for correct setup.
Workflow syntax	Comprehensive guide to GitHub Actions workflow syntax, useful when implementing specific YAML features in your workflows.
Security hardening	Best practices and guidelines for security hardening your GitHub Actions deployments to prevent unauthorized access and attacks.
ECS Task Definition Parameters	Essential reference documentation for all Amazon ECS Task Definition parameters, crucial for configuring your containerized applications.
ECS Service Auto Scaling	Learn how to configure Amazon ECS Service Auto Scaling to manage application capacity efficiently without causing disruptions.
ECR Lifecycle Policies	Understand and implement Amazon ECR Lifecycle Policies to automatically manage and clean up old container images, saving costs.
aws-actions/amazon-ecs-deploy-task-definition	The official GitHub Action for deploying Amazon ECS task definitions, providing a reliable and functional starting point.
GitHub starter workflows	A simple and effective AWS deployment template from GitHub's starter workflows, serving as a good initial configuration.
Netflix/dispatch	Explore Netflix's dispatch project for insights into real-world, production-grade Amazon ECS deployment strategies and patterns.
Shopify/shipit-engine	Examine Shopify's shipit-engine to understand real deployment patterns and practices used in a large-scale production environment.
AWS CLI v2	The essential AWS Command Line Interface version 2, crucial for managing AWS services from your local development environment.
Docker Desktop	Docker Desktop provides a convenient environment for local container testing and development on your workstation.
aws-vault	A tool for secure credential management, allowing you to store and access AWS credentials safely on your local machine.
ecs-cli	The Amazon ECS CLI simplifies operations for managing your Amazon ECS clusters, services, and tasks from the command line.
AWS CloudWatch Logs	Access and analyze your application logs in AWS CloudWatch Logs to identify and debug errors effectively.
ECS Exec	Use Amazon ECS Exec to securely shell into running containers, enabling direct debugging and troubleshooting.
ctop	A command-line tool similar to htop, providing real-time monitoring and management for your running containers.
AWS Cost Explorer	Utilize AWS Cost Explorer to visualize, understand, and manage your AWS spending, helping identify cost-saving opportunities.
AWS Containers Blog	The official AWS Containers Blog provides updates, announcements, and deep dives into new features for container services.
Depot.dev Blog	Explore the Depot.dev Blog for articles and insights focused on optimizing Docker build processes and performance.
Last Week in AWS	Stay informed with 'Last Week in AWS', offering curated AWS news and insightful opinions on recent developments.
DevOps Chat Slack	Join the DevOps Chat Slack community, specifically the #aws channel, for discussions and support related to AWS.
Stack Overflow DevOps	Engage with the Stack Overflow DevOps community to learn from real experiences, challenges, and solutions in DevOps practices.
AWS Community Slack	The official AWS Community Slack channel, a resource for connecting with other AWS users and seeking assistance.
AWS Support	Access AWS Premium Support, where the $29/month Developer plan offers valuable assistance when you're stuck.
GitHub Community	The official GitHub Community forum provides a platform for users to ask questions and get support from peers.
Stack Overflow AWS	Seek community help and solutions for Amazon Web Services related questions on the dedicated Stack Overflow tag.
Render	A platform offering $7/month plans, seamless GitHub integration, and a reputation for just working for your deployments.
Railway	A platform known for its good free tier and straightforward deployment process, simplifying application hosting.
Fly.io	Offers a balance between Platform-as-a-Service and Amazon ECS, providing more control without the full complexity.
Digital Ocean App Platform	Digital Ocean's App Platform provides a straightforward solution for deploying and managing containerized applications.
ECS Console Guide	The Amazon ECS Console Guide is an essential bookmark for quickly checking the status of your ECS services and clusters.
ECS Task Definitions	Reference this guide to effectively manage and understand Amazon ECS task definitions, crucial for your container configurations.
ECR Repositories Guide	The Amazon ECR Repositories Guide helps you manage your container images, including creation, deletion, and access policies.
AWS Cost Management	Monitor and manage your AWS spending effectively using the AWS Cost Management dashboard and related tools.
GitHub Actions Marketplace	Discover and integrate various AWS ECS actions from the GitHub Actions Marketplace to enhance your deployment workflows.
GitHub Docs - Actions	The comprehensive official documentation for GitHub Actions, covering all aspects of workflow creation and management.
GitHub Actions Samples	Explore GitHub Actions samples and deployment workflow templates to quickly set up and customize your CI/CD pipelines.

GitHub Actions + Docker + AWS ECS CI/CD: AI-Optimized Technical Reference

Configuration Requirements

Docker Configuration That Actually Works

ECS Task Definition Requirements

GitHub Actions OIDC Setup

Resource Requirements and Costs

Time Investment

Cost Breakdown

Expertise Requirements

Critical Warnings and Failure Modes

Docker Build Failures

ECS Task Death (Exit Code 1)

Networking Failures

GitHub Actions Cost Explosions

Database Migration Disasters

Decision Support Matrix

Deployment Strategies

Alternative Platforms

Implementation Checklist

Initial Setup

Docker Optimization

GitHub Actions Configuration

Monitoring and Alerting

Security Hardening

Breaking Points and Thresholds

Performance Limits

Cost Thresholds

Scaling Considerations

Common Misconceptions

Success Criteria

Working System Indicators

Performance Benchmarks

Useful Links for Further Investigation

Resources That Actually Help (When Things Go Wrong)

Related Tools & Recommendations

GitOps Integration Hell: Docker + Kubernetes + ArgoCD + Prometheus

Stop Fighting Your CI/CD Tools - Make Them Work Together

GitHub Actions + Jenkins Security Integration

Fix Kubernetes ImagePullBackOff Error - The Complete Battle-Tested Guide

Fix Kubernetes OOMKilled Pods - Production Memory Crisis Management

Docker Desktop vs Podman Desktop vs Rancher Desktop vs OrbStack: What Actually Happens

Stop Docker from Killing Your Containers at Random (Exit Code 137 Is Not Your Friend)

CVE-2025-9074 Docker Desktop Emergency Patch - Critical Container Escape Fixed

Podman Desktop - Free Docker Desktop Alternative

Podman Desktop Alternatives That Don't Suck

CircleCI - Fast CI/CD That Actually Works

Jenkins - The CI/CD Server That Won't Die

Rancher Desktop - Docker Desktop's Free Replacement That Actually Works

Amazon ECR - Because Managing Your Own Registry Sucks

containerd - The Container Runtime That Actually Just Works

Docker Swarm Service Discovery Broken? Here's How to Unfuck It

Docker Swarm Node Down? Here's How to Fix It

Docker Swarm - Container Orchestration That Actually Works

GitHub Actions - CI/CD That Actually Lives Inside GitHub

Docker говорит permission denied? Админы заблокировали права?