* I want a server to poll a Docker registry at a regular interval, and if it finds there's a new image then pull it down and start it up.
* I'm looking to do it this way vs. just pushing the image out as part of CI/CD because Github Actions doesn't easily support a static IP range and I don't want to have unrestricted SSH access.
There are a number of these kinds of things for Kubernetes (Keel.sh, et al) but nothing that I could find for plain docker. One idea I had was to use something like https://github.com/adnanh/webhook and ping a webhook from the Github action. Yes it'd be publicly accessible, but using an HMAC header signed by a github secret would probably mitigate much of the risk. The webhook would do the pull and restart (via a shell script).
I also spent some time playing with waypoint (from Hashicorp) and think it has potential, but of course is a bit different. They do have a docker image 'builder' and I think the webhook could be built into the server side to do the pull on new image. fwiw, I am looking at moving my app to fly.io