From 0ab003ec84e97cb7655781106e5e2afe5bb10782 Mon Sep 17 00:00:00 2001 From: Pouya <> Date: Thu, 4 Jun 2026 15:21:42 +0200 Subject: [PATCH] ci: add Gitea Actions deploy trigger for tutorials.local On push to main, SSH (forced-command key) to the tutorials LXC and trigger the host-side tutorials-deploy.service. Key comes from the TUTORIALS_DEPLOY_KEY Actions secret. --- .gitea/workflows/deploy.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .gitea/workflows/deploy.yml diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..cfa9cce --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,36 @@ +name: Deploy + +# Fast-path publish: on push to main, SSH to the tutorials LXC and trigger the +# host-side oneshot deploy.service. The SSH key is restricted by a forced +# command in ~deploy/.ssh/authorized_keys, so even a leaked key can only +# redeploy public content. The host's 5-min poll-fallback timer covers any +# missed delivery, so this job is a latency optimization, not the only path. + +on: + push: + branches: [main] + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Trigger tutorials redeploy over SSH + env: + DEPLOY_KEY: ${{ secrets.TUTORIALS_DEPLOY_KEY }} + DEPLOY_HOST: REDACTED + DEPLOY_USER: deploy + run: | + set -eu + # Ensure an SSH client is available on the runner image. + if ! command -v ssh >/dev/null 2>&1; then + (apt-get update && apt-get install -y openssh-client) >/dev/null + fi + install -d -m 700 ~/.ssh + printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/deploy_key + chmod 600 ~/.ssh/deploy_key + # Forced command runs regardless of the remote command; we send a + # harmless placeholder. accept-new pins the host key on first use. + ssh -o StrictHostKeyChecking=accept-new \ + -o BatchMode=yes \ + -i ~/.ssh/deploy_key \ + "${DEPLOY_USER}@${DEPLOY_HOST}" deploy