Update blag version, improve workflow for new deployment host.
This commit is contained in:
@@ -28,8 +28,8 @@ jobs:
|
|||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
registry: gitea.raer.me
|
registry: gitea.raer.me
|
||||||
username: ${{ secrets.PRODUCTION_REGISTRY_USERNAME }}
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
||||||
password: ${{ secrets.PRODUCTION_REGISTRY_TOKEN }}
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
-
|
-
|
||||||
name: Install required system packages...
|
name: Install required system packages...
|
||||||
run: |
|
run: |
|
||||||
@@ -40,8 +40,8 @@ jobs:
|
|||||||
-
|
-
|
||||||
name: Install pipenv, build blog...
|
name: Install pipenv, build blog...
|
||||||
env:
|
env:
|
||||||
PIPENV_USER: ${{ secrets.PRODUCTION_REGISTRY_USERNAME }}
|
PIPENV_USER: ${{ secrets.REGISTRY_USERNAME }}
|
||||||
PIPENV_PASS: ${{ secrets.PRODUCTION_REGISTRY_TOKEN }}
|
PIPENV_PASS: ${{ secrets.REGISTRY_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
pip install pipenv
|
pip install pipenv
|
||||||
pipenv install
|
pipenv install
|
||||||
@@ -64,6 +64,9 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
platforms: linux/amd64
|
platforms: linux/amd64
|
||||||
tags: gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}
|
tags: gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}
|
||||||
|
# It seems that the deploy stage here is the only thing that really needs changing.
|
||||||
|
## Further, changing this actually simplifies things. We no longer need this complex things that have been commented out below, instead, we do a much simpler process. The more complex process *should* be managed in a separate repo, anyway, because actually doing work on the machine that this is deployed to should be a more protected process.
|
||||||
|
|
||||||
job2:
|
job2:
|
||||||
needs: job1
|
needs: job1
|
||||||
name: Connect to deployment host, update, and redeploy docs website.
|
name: Connect to deployment host, update, and redeploy docs website.
|
||||||
@@ -79,54 +82,68 @@ jobs:
|
|||||||
-
|
-
|
||||||
name: Configure SSH...
|
name: Configure SSH...
|
||||||
env:
|
env:
|
||||||
SSH_USER: ${{ secrets.PRODUCTION_SSH_USER }}
|
SSH_USER: ${{ secrets.DEPLOYMENT_USER }}
|
||||||
SSH_KEY: ${{ secrets.PRODUCTION_SSH_KEY }}
|
SSH_KEY: ${{ secrets.DEPLOYMENT_KEY }}
|
||||||
SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
|
SSH_HOST: ${{ secrets.DEPLOYMENT_HOST }}
|
||||||
run: |
|
run: |
|
||||||
mkdir -p ~/.ssh/
|
mkdir -p ~/.ssh/
|
||||||
echo "$SSH_KEY" > ~/.ssh/staging.key
|
echo "$DEPLOYMENT_KEY" > ~/.ssh/staging.key
|
||||||
chmod 600 ~/.ssh/staging.key
|
chmod 600 ~/.ssh/staging.key
|
||||||
cat >> ~/.ssh/config <<END
|
cat >> ~/.ssh/config <<END
|
||||||
Host staging
|
Host staging
|
||||||
HostName $SSH_HOST
|
HostName $DEPLOYMENT_HOST
|
||||||
User $SSH_USER
|
User $DEPLOYMENT_USER
|
||||||
IdentityFile ~/.ssh/staging.key
|
IdentityFile ~/.ssh/staging.key
|
||||||
StrictHostKeyChecking no
|
StrictHostKeyChecking no
|
||||||
END
|
END
|
||||||
cat ~/.ssh/config
|
cat ~/.ssh/config
|
||||||
-
|
-
|
||||||
name: Test SSH Host...
|
name: Ping SSH host...
|
||||||
env:
|
env:
|
||||||
SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
|
SSH_HOST: ${{ secrets.DEPLOYMENT_HOST }}
|
||||||
run: |
|
run: ping -c 3 $DEPLOYMENT_HOST
|
||||||
ping -c 3 $SSH_HOST
|
|
||||||
ssh staging 'ls'
|
|
||||||
-
|
-
|
||||||
name: Safety check (ensure dirs exist and repo has been cloned)...
|
name: Run deploy script.
|
||||||
run: |
|
run: ssh staging
|
||||||
echo "Adding ci dir if it doesn't exist..."
|
## The above is far cleaner than below. That means less things have to change in this repo, when things on the deployment host change. In fact, looking over this... it seems that *NO* changes must be made to the actions when things on the deployment host change. As it should be. When the deployment host changes, the scripts related to deployment should change. And because those should be more tightly managed, they should not be spread out in places like this gitea action config.
|
||||||
ssh staging 'bash -c "[ -d ci ] || mkdir ci"'
|
|
||||||
echo "Cloning git repo if it isn't already cloned..."
|
## Even the deployment key needn't change, due to how variable scopes work in gitea. The lowest level variable takes precedence, so repo variables are always preferred over user/org and system variables.
|
||||||
ssh staging 'cd ci; bash -c "[ -d ${{ gitea.event.repository.name }} ] || git clone https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository }}.git"'
|
|
||||||
-
|
## Thus, from the developer's pov, the repo must simply have five secrets, three of which are managed by an administrator with root-level access to the deployment host who will configure the repo secrets as needed.
|
||||||
name: Deploy testing script on remote...
|
|
||||||
run: |
|
|
||||||
ssh staging '\
|
|
||||||
cd ci/${{ gitea.event.repository.name }}; \
|
|
||||||
git remote remove origin; \
|
|
||||||
git remote add origin https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository} }.git; \
|
|
||||||
git checkout ${{ gitea.ref_name }}; \
|
## Now, stuff like this can be stuck in a shell script that's stored on the deployment host and activated by an SSH key that is restricted to running only the deployment script.
|
||||||
git reset --hard HEAD; \
|
# name: Safety check (ensure dirs exist and repo has been cloned)...
|
||||||
git pull origin ${{ gitea.ref_name }}; \
|
# run: |
|
||||||
git remote remove origin;'
|
# echo "Adding ci dir if it doesn't exist..."
|
||||||
-
|
# ssh staging 'bash -c "[ -d ci ] || mkdir ci"'
|
||||||
name: Pull new image and redeploy...
|
# echo "Cloning git repo if it isn't already cloned..."
|
||||||
run: |
|
# ssh staging 'cd ci; bash -c "[ -d ${{ gitea.event.repository.name }} ] || git clone https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository }}.git"'
|
||||||
ssh staging '\
|
# -
|
||||||
echo "${{ secrets.PRODUCTION_REGISTRY_TOKEN }}" | docker login --password-stdin --username ${{ secrets.PRODUCTION_REGISTRY_USERNAME }} gitea.raer.me; \
|
# name: Deploy testing script on remote...
|
||||||
docker stop blog.raer.me-prod; \
|
# run: |
|
||||||
docker rm blog.raer.me-prod; \
|
# ssh staging '\
|
||||||
docker pull gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
|
# cd ci/${{ gitea.event.repository.name }}; \
|
||||||
docker run -d --name blog.raer.me-prod -p ${{ secrets.PRODUCTION_DEPLOYMENT_HOST }}:4020:80 gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
|
# git remote remove origin; \
|
||||||
docker logout gitea.raer.me;'
|
# git remote add origin https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository} }.git; \
|
||||||
|
# git checkout ${{ gitea.ref_name }}; \
|
||||||
|
# git reset --hard HEAD; \
|
||||||
|
# git pull origin ${{ gitea.ref_name }}; \
|
||||||
|
# git remote remove origin;'
|
||||||
|
# # -
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# name: Pull new image and redeploy...
|
||||||
|
# run: |
|
||||||
|
# ssh staging '\
|
||||||
|
# echo "${{ secrets.PRODUCTION_REGISTRY_TOKEN }}" | docker login --password-stdin --username ${{ secrets.PRODUCTION_REGISTRY_USERNAME }} gitea.raer.me; \
|
||||||
|
# docker stop blog.raer.me-prod; \
|
||||||
|
# docker rm blog.raer.me-prod; \
|
||||||
|
# docker pull gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
|
||||||
|
# docker run -d --name blog.raer.me-prod -p ${{ secrets.PRODUCTION_DEPLOYMENT_HOST }}:4020:80 gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
|
||||||
|
# docker logout gitea.raer.me;'
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user