Wrap deploy script in bash -c to bypass remote fish shell
- .gitea/workflows/deploy.yml: the bot user on the new prod host has fish as its login shell, which rejects bash syntax (set -e, VAR=..., $(...), trap, process substitution). Wrap the entire deploy script in `bash -c '...'` so fish only spawns a bash subprocess and the script itself is parsed by bash. - Forward DEPLOY_PATH alongside VAULT_PASS through appleboy/ssh-action envs: so the bash subprocess inherits both, instead of interpolating the secret directly into the rendered script (where masking would collide with the cd argument). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
@@ -13,17 +13,20 @@ jobs:
|
|||||||
uses: appleboy/ssh-action@v1.0.0
|
uses: appleboy/ssh-action@v1.0.0
|
||||||
env:
|
env:
|
||||||
VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
||||||
|
DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
|
||||||
with:
|
with:
|
||||||
host: ${{ secrets.SSH_HOST }}
|
host: ${{ secrets.SSH_HOST }}
|
||||||
username: ${{ secrets.SSH_USER }}
|
username: ${{ secrets.SSH_USER }}
|
||||||
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
port: 22
|
port: 22
|
||||||
envs: VAULT_PASS
|
envs: VAULT_PASS,DEPLOY_PATH
|
||||||
script: |
|
script: |
|
||||||
|
bash -c '
|
||||||
set -e
|
set -e
|
||||||
cd ${{ secrets.DEPLOY_PATH }}
|
cd "$DEPLOY_PATH"
|
||||||
VAULT_FILE="$(mktemp)"
|
VAULT_FILE="$(mktemp)"
|
||||||
trap 'rm -f "$VAULT_FILE"' EXIT
|
trap "rm -f \"$VAULT_FILE\"" EXIT
|
||||||
printf '%s' "$VAULT_PASS" > "$VAULT_FILE"
|
printf "%s" "$VAULT_PASS" > "$VAULT_FILE"
|
||||||
chmod 600 "$VAULT_FILE"
|
chmod 600 "$VAULT_FILE"
|
||||||
ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"
|
ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"
|
||||||
|
'
|
||||||
|
|||||||
Reference in New Issue
Block a user