From c6d2c068d34fbab61b7e6d47acb632e883386a23 Mon Sep 17 00:00:00 2001 From: Serreau Jovann Date: Fri, 10 Apr 2026 18:04:50 +0200 Subject: [PATCH] Pass ansible vault password via env var instead of process substitution - .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD directly into the remote script (the runner masks the secret with *** which broke the <(echo '...') process substitution at runtime) - inject the password as VAULT_PASS through appleboy/ssh-action's envs: forwarding so it never appears in the rendered script - on the remote, write it to a mktemp file with chmod 600 and remove the file via trap on EXIT, then point ansible-playbook --vault-password-file at that temp file - use printf '%s' instead of echo to avoid adding a stray newline to the vault password - add set -e so the script fails fast if any step errors Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitea/workflows/deploy.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 722e51a..e5823db 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -11,10 +11,19 @@ jobs: steps: - name: Deploy with SSH uses: appleboy/ssh-action@v1.0.0 + env: + VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} with: host: ${{ secrets.SSH_HOST }} username: ${{ secrets.SSH_USER }} key: ${{ secrets.SSH_PRIVATE_KEY }} port: 22 + envs: VAULT_PASS script: | - cd ${{ secrets.DEPLOY_PATH }} && ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file <(echo '${{ secrets.ANSIBLE_VAULT_PASSWORD }}') + set -e + cd ${{ secrets.DEPLOY_PATH }} + VAULT_FILE="$(mktemp)" + trap 'rm -f "$VAULT_FILE"' EXIT + printf '%s' "$VAULT_PASS" > "$VAULT_FILE" + chmod 600 "$VAULT_FILE" + ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"