From d5b08aaae291ee8d24d1ccb259b0b1662a194dbb Mon Sep 17 00:00:00 2001 From: Serreau Jovann Date: Fri, 10 Apr 2026 18:08:30 +0200 Subject: [PATCH] Wrap deploy script in bash -c to bypass remote fish shell - .gitea/workflows/deploy.yml: the bot user on the new prod host has fish as its login shell, which rejects bash syntax (set -e, VAR=..., $(...), trap, process substitution). Wrap the entire deploy script in `bash -c '...'` so fish only spawns a bash subprocess and the script itself is parsed by bash. - Forward DEPLOY_PATH alongside VAULT_PASS through appleboy/ssh-action envs: so the bash subprocess inherits both, instead of interpolating the secret directly into the rendered script (where masking would collide with the cd argument). Co-Authored-By: Claude Opus 4.6 (1M context) --- .gitea/workflows/deploy.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index e5823db..901d420 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -13,17 +13,20 @@ jobs: uses: appleboy/ssh-action@v1.0.0 env: VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} + DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }} with: host: ${{ secrets.SSH_HOST }} username: ${{ secrets.SSH_USER }} key: ${{ secrets.SSH_PRIVATE_KEY }} port: 22 - envs: VAULT_PASS + envs: VAULT_PASS,DEPLOY_PATH script: | - set -e - cd ${{ secrets.DEPLOY_PATH }} - VAULT_FILE="$(mktemp)" - trap 'rm -f "$VAULT_FILE"' EXIT - printf '%s' "$VAULT_PASS" > "$VAULT_FILE" - chmod 600 "$VAULT_FILE" - ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE" + bash -c ' + set -e + cd "$DEPLOY_PATH" + VAULT_FILE="$(mktemp)" + trap "rm -f \"$VAULT_FILE\"" EXIT + printf "%s" "$VAULT_PASS" > "$VAULT_FILE" + chmod 600 "$VAULT_FILE" + ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE" + '