Pouya
45 lines
1.9 KiB
YAML
45 lines
1.9 KiB
YAML
name: Deploy
|
|
|
|
# Fast-path publish: on push to main, SSH to the tutorials LXC and trigger the
|
|
# host-side oneshot deploy.service. The SSH key is restricted by a forced
|
|
# command in ~deploy/.ssh/authorized_keys, so even a leaked key can only
|
|
# redeploy public content. The host's 5-min poll-fallback timer covers any
|
|
# missed delivery, so this job is a latency optimization, not the only path.
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Trigger tutorials redeploy over SSH
|
|
env:
|
|
DEPLOY_KEY: ${{ secrets.TUTORIALS_DEPLOY_KEY }}
|
|
# Host address kept out of this public repo — set as an Actions secret.
|
|
DEPLOY_HOST: ${{ secrets.TUTORIALS_DEPLOY_HOST }}
|
|
DEPLOY_USER: deploy
|
|
# Pinned host public key (a known_hosts line), also via secret.
|
|
KNOWN_HOSTS: ${{ secrets.TUTORIALS_KNOWN_HOSTS }}
|
|
run: |
|
|
set -eu
|
|
# Ensure an SSH client is available on the runner image.
|
|
if ! command -v ssh >/dev/null 2>&1; then
|
|
(apt-get update && apt-get install -y openssh-client) >/dev/null
|
|
fi
|
|
install -d -m 700 ~/.ssh
|
|
printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/deploy_key
|
|
chmod 600 ~/.ssh/deploy_key
|
|
# Pin the target's host key (supplied via secret) instead of trusting
|
|
# it on first connect — closes the first-connection MITM window that
|
|
# StrictHostKeyChecking=accept-new (trust-on-first-use) leaves open.
|
|
printf '%s\n' "$KNOWN_HOSTS" > ~/.ssh/known_hosts
|
|
chmod 600 ~/.ssh/known_hosts
|
|
# Forced command runs regardless of the remote command; harmless placeholder.
|
|
ssh -o StrictHostKeyChecking=yes \
|
|
-o UserKnownHostsFile="$HOME/.ssh/known_hosts" \
|
|
-o BatchMode=yes \
|
|
-i ~/.ssh/deploy_key \
|
|
"${DEPLOY_USER}@${DEPLOY_HOST}" deploy
|