How to Verify? GitHub Actions said ✅ Success . The server disagreed. We kept running into a subtle CI/CD problem: after pushing to main , GitHub marked the deployment as successful, but checking the server revealed the old code was still there. No error. No alert. Just stale code running in production. This article walks through the root cause, and the two-part fix we implemented: lock detection and commit SHA verification . The Setup Our deployment architecture uses a webhook-based approach (no SSH): GitHub Actions → HTTP POST → deploy.php on server → runs deploy.sh Why webhooks instead of SSH? Our hosting provider (Hypernode) IP-whitelists SSH access. GitHub Actions runs on dynamic Azure IPs that get blocked. Port 443 (HTTPS) has no such restriction.…