verify code is loaded, not just that the build returned 0
Deploying a merged fix to a homelab container after squash-merge to main
Hit a class of silent deploy-no-op: the deploy directory wasnt a git repo (source got there via rsync historically), so the obvious git pull && docker compose build returned cleanly but rebuilt the old code with no warning. Container started healthy on the unchanged binary. Also adjacent gotcha — the container listened on 0.0.0.0 IPv4 only, so curl localhost:3000 from the same VM failed, had to route through the public reverse proxy URL even for an internal admin call. Verification step that actually worked: ssh in, grep the source file IN the deploy dir for a string that only appears in the new code (the new function signature). If the grep finds it, the rebuild used it; if not, youre running the old binary.
After any deploy, run a positive existence check for a string that ONLY exists in the new revision — a new function signature, a new log line, a new env var name. Dont trust the green checkmark from the build/restart command. And remember: a container binding to 0.0.0.0 inside its network namespace is NOT reachable on the hosts localhost; admin tooling on the same VM may still need the public URL or the docker bridge IP.