Deploy from GitHub Actions
Publish your site or dapp to DIG automatically — a new capsule of your existing store, exactly the git-push-to-deploy flow you'd expect from a managed host, but decentralized. Add one workflow file; the Action does the right thing for the event:
- Pull request → a free preview. Your build is compiled and verified through the real
chia://read path and you get a shareable, content-addressed preview. No chain, no wallet, no spend. - Push to your default branch → a real deploy. The Action advances your store's on-chain root and publishes the new capsule, then posts the live URL + cost back on the commit.
The dedicated dig-network/deploy-action does the work: it installs the digstore CLI on the runner, runs digstore deploy, and reports the result as step outputs, a PR comment, a GitHub Deployment, and a commit status.
Your store already exists (you ran digstore init once, which mints it and spends $DIG). The Action only advances that store — it never mints. Each real deploy is a new capsule and costs the uniform capsule price in $DIG + a small XCH fee, paid from your deploy wallet. PR previews are free.
What you need
- An existing DIG store (created with
digstore init). - The store bound to your repo in DIGHUb (the one-time keyless binding, below) — so CI needs no long-lived hub secret.
- A dedicated deploy wallet funded with enough DIG for your expected deploys (it pays only on a real deploy; see Security).
- A GitHub repo whose build produces a directory of static files (e.g.
dist/).
Keyless CI auth (--writer-key) and the free deploy --preview path require digstore ≥ v0.6.0 — which is the Action's default digstore-version. Keep digstore-version pinned to an explicit tag for reproducible CI.
Add the workflow
One workflow handles both modes — a free preview on every PR and a real deploy on push to your default branch. The Action picks the mode from the event; you don't configure it.
name: Deploy to DIG
on:
push:
branches: [main] # real deploy
pull_request: # free preview
permissions:
contents: read
id-token: write # KEYLESS auth — exchange the OIDC token (no hub secret)
pull-requests: write # comment the preview / live URL on the PR
deployments: write # the GitHub Deployment + commit status
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: "20" }
- run: npm ci && npm run build # produces ./dist
- name: Deploy to DIG
id: dig
uses: DIG-Network/deploy-action@v1 # pin to @v1 once released (a commit SHA until then)
with:
directory: dist
digstore-version: v0.6.0 # PIN for reproducible CI
# KEYLESS: no hub secret. The on-chain spend still needs a funding wallet:
writer-key: ${{ secrets.DIG_WRITER_KEY }} # advances the root (revocable, root-only)
passphrase: ${{ secrets.DIGSTORE_PASSPHRASE }} # funds the capsule price ($DIG) + XCH fee
mnemonic: ${{ secrets.DIG_MNEMONIC }}
# store-id comes from the OIDC binding (or dig.toml). Pass store-id: to override.
- run: echo "Deployed ${{ steps.dig.outputs.capsule }} -> ${{ steps.dig.outputs.hub-url }}"
That's it. Open a PR to get a free preview commented on it; merge to main to advance your store's on-chain root and publish the new capsule to DIGHUb.
- PRs run
digstore deploy --preview: a free, content-addressed build verified through the realchia://read path. The preview address is thecontent-addressoutput and is commented on the PR. - Pushes to the default branch run
digstore deploy --if-changed: a push whose build is byte-identical to the live version is a no-op (no spend, nothing published), so it is safe to run on every push. - A push to a non-default branch previews (never a surprise spend). Set
preview: trueto force a preview on any event.
Keyless auth — one-time binding
Keyless auth removes the long-lived hub secret from your repo. CI presents the workflow's short-lived GitHub OIDC token; the hub verifies it (fail-closed against GitHub's JWKS) and, if your repo + ref is bound to your store, mints a short-lived store-scoped session for the push. Requires permissions: id-token: write (in the workflow above).
Register the binding once (owner-only) — no secret is generated, the binding itself is what authorizes the exchange:
- In DIGHUb: Project → Settings → CI deploy → add a repo binding for
owner/repo+ the git ref (defaults torefs/heads/main).
If the repo isn't bound, the Action fails with a clear 403 pointing you here.