I realize there’s a module for deploying code from a Git repo. However, I’m looking for advice on how to handle the post deployment tasks. My main concern is having the “.git” folder in the documentroot on production servers. How are people handling this? One option is to run a command after the repo is cloned. However, this means I also have to do an “rm -rf” prior to the next deploy. If I try to deploy again it complains that the directory still exists, hence the “rm -rf” is required prior to deploying each time.
You could always do the checkout someplace besides the application’s destination, and then use “command: rsync” to move the files (with --exclude=.git".
You could also just checkout the last revision (–depth 1) in the terminal. In ansible, you use depth=1 to do this!
JH
That also gives me the .git folder, no?
I ended up doing two things.
I set “GIT_WORK_DIR=/var/www/html/” then run “git checkout -f” from within the repo folder from where I did a git clone.
Question, in the GIT module, I notice there’s an update flag. As a test I ran it multiple times and it took the same length of time as an initial check out would. Does it just do a “git clone” every time or does it do a git pull (what I’m looking for)?
Sorry, I assumed the problem you had with .git was its size? Depth=1 effectively solves that problem, otherwise ignore me 
git archive, was designed to give you full exports (they lack .git)
One perspective from deploying on Django/uwsgi. What we do is:
- Pull code from git via Ansible git module.
- Upload the configuration files for the client via Ansible template module.
- If either of those has changed from the previous server update, I
trigger an actual deploy, which is a script that does:
- rsync --exclude=.git the project and configuration files to a
tmpfoo directory,
- mv tmpfoo productiondirectory, clobbering the previous production code.
I have uwsgi set up to watch the productiondirectory and reload on a
write event. ´mv´ is atomic, and uwsgi makes sure that all existing
processes exit cleanly as it restarts. YMMV may vary hugely, of
course.
J
Excerpts from Samnang Sen's message of 2013-10-05 21:03:33 -0400:
I realize there's a module for deploying code from a Git repo. However, I'm
looking for advice on how to handle the post deployment tasks. My main
concern is having the ".git" folder in the documentroot on production
servers. How are people handling this? One option is to run a command after
the repo is cloned. However, this means I also have to do an "rm -rf" prior
to the next deploy. If I try to deploy again it complains that the
directory still exists, hence the "rm -rf" is required prior to deploying
each time.
It's up to you whether you'd consider this sufficiently secure, but you
can always tell your webserver never to serve out anything under
a folder called '.git'. In Apache you'd do a DirectoryMatch with a Deny
from all in it.
In theory, a compromised web server renders this moot, but at that point
you might have bigger fish to fry.