avm/state-corp-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: harden customer deploy auth
Some checks failed
CI/CD Pipeline / Build Docker Images (push) Has been cancelled
Details
CI/CD Pipeline / Push to Gitea Registry (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Server (push) Has been cancelled
Details
CI/CD Pipeline / Run Tests (push) Has been cancelled
Details
CI/CD Pipeline / Code Quality Checks (push) Has been cancelled
Details
CI/CD Pipeline / Run Tests (pull_request) Failing after 7m41s
Details
CI/CD Pipeline / Code Quality Checks (pull_request) Failing after 8m36s
Details
CI/CD Pipeline / Build Docker Images (pull_request) Has been skipped
Details
CI/CD Pipeline / Push to Gitea Registry (pull_request) Has been skipped
Details
CI/CD Pipeline / Deploy to Server (pull_request) Has been skipped
Details

Browse Source
This commit is contained in:
Aleksandr Meshchriakov
2026-05-05 00:01:49 +02:00
parent e5c6e71d57
commit 294b196012
1 changed files with 13 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.gitea/workflows/deploy-customer-main.yml
View File

@@ -50,14 +50,16 @@ jobs:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
GITEA_TOKEN: ${{ gitea.token }}
CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }}
CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
set -euo pipefail
registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-}}"
registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-}}"
registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}"
registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}"
home_dir="${HOME:-/root}"
if [ -z "${registry_user}" ]; then
echo "Missing registry user secret: set REGISTRY_USER or REGISTRY_USERNAME" >&2
@@ -70,7 +72,7 @@ jobs:
if [ -z "${CUSTOMER_DEPLOY_SSH_KEY:-}" ] \
&& [ -z "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ] \
&& [ -z "${DEPLOY_SSH_KEY:-}" ] \
&& [ ! -f "${HOME}/.ssh/ci-key" ] \
&& [ ! -f "${home_dir}/.ssh/ci-key" ] \
&& [ ! -f "/root/.ssh/ci-key" ]; then
echo "Missing customer SSH key: set CUSTOMER_DEPLOY_SSH_KEY_B64, CUSTOMER_DEPLOY_SSH_KEY, DEPLOY_SSH_KEY, or install ~/.ssh/ci-key on the runner" >&2
exit 1
@@ -89,11 +91,12 @@ jobs:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
GITEA_TOKEN: ${{ gitea.token }}
run: |
set -euo pipefail
registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-}}"
registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-}}"
registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}"
registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}"
sha_short="$(printf '%s' "${GITHUB_SHA}" | cut -c1-12)"
registry_path="${CUSTOMER_REGISTRY_HOST}/${CUSTOMER_REGISTRY_NAMESPACE}"
web_ref="${registry_path}/${CUSTOMER_WEB_IMAGE}"
@@ -134,16 +137,17 @@ jobs:
run: |
set -euo pipefail
mkdir -p "${HOME}/.ssh"
key_path="${HOME}/.ssh/customer_deploy_key"
home_dir="${HOME:-/root}"
mkdir -p "${home_dir}/.ssh"
key_path="${home_dir}/.ssh/customer_deploy_key"
if [ -n "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ]; then
printf '%s' "${CUSTOMER_DEPLOY_SSH_KEY_B64}" | base64 -d > "${key_path}"
elif [ -n "${DEPLOY_SSH_KEY:-}" ]; then
printf '%s' "${DEPLOY_SSH_KEY}" | base64 -d > "${key_path}"
elif [ -n "${CUSTOMER_DEPLOY_SSH_KEY:-}" ]; then
printf '%s\n' "${CUSTOMER_DEPLOY_SSH_KEY}" > "${key_path}"
elif [ -f "${HOME}/.ssh/ci-key" ]; then
cp "${HOME}/.ssh/ci-key" "${key_path}"
elif [ -f "${home_dir}/.ssh/ci-key" ]; then
cp "${home_dir}/.ssh/ci-key" "${key_path}"
else
cp "/root/.ssh/ci-key" "${key_path}"
fi