c6d2c068d3
Some checks failed
CI / sonarqube (push) Has been cancelled
- .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD directly into the remote script (the runner masks the secret with *** which broke the <(echo '...') process substitution at runtime) - inject the password as VAULT_PASS through appleboy/ssh-action's envs: forwarding so it never appears in the rendered script - on the remote, write it to a mktemp file with chmod 600 and remove the file via trap on EXIT, then point ansible-playbook --vault-password-file at that temp file - use printf '%s' instead of echo to avoid adding a stray newline to the vault password - add set -e so the script fails fast if any step errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
30 lines
836 B
YAML
30 lines
836 B
YAML
name: Deploy to production
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 1,22 * * *'
|
|
|
|
jobs:
|
|
deploy:
|
|
runs_on: ubuntu-latest
|
|
steps:
|
|
- name: Deploy with SSH
|
|
uses: appleboy/ssh-action@v1.0.0
|
|
env:
|
|
VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
|
with:
|
|
host: ${{ secrets.SSH_HOST }}
|
|
username: ${{ secrets.SSH_USER }}
|
|
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
port: 22
|
|
envs: VAULT_PASS
|
|
script: |
|
|
set -e
|
|
cd ${{ secrets.DEPLOY_PATH }}
|
|
VAULT_FILE="$(mktemp)"
|
|
trap 'rm -f "$VAULT_FILE"' EXIT
|
|
printf '%s' "$VAULT_PASS" > "$VAULT_FILE"
|
|
chmod 600 "$VAULT_FILE"
|
|
ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"
|