source/pedini.dev
1
0
Fork 0
Code Issues Pull Requests Actions Releases Activity

Compare commits

base: source:126bd66ddb2f383e594168d21a3eb999a6f07506
Branches Tags
source:main
source:0.1
...
compare: source:9463c44034d52b1c9c82d5b5538c3c5b01b98b3c
Branches Tags
source:main
source:0.1

5 Commits
126bd66ddb ... 9463c44034

Author SHA1 Message Date
Bryan Joshua Pedini
9463c44034 feat(deploy): improve ssh key handling and deployment security
Some checks failed
Deploy website on production server when committing on main / test (push) Failing after 9s
Details 
- Remove hardcoded SSH private key file path from workflow
- Use proper SSH directory structure (~/.ssh/) for key storage
- Add known_hosts file for improved SSH security
- Move environment variables to dedicated env block
- Remove StrictHostKeyChecking=no for better security
- Update deploy script to use proper SSH key path
- Maintain deployment path configuration via environment variables
 2026-02-01 18:35:37 +01:00
Bryan Joshua Pedini
b7286eeeb6 fix: use explicit bash path in makefile scripts 
Specify full path to bash interpreter for version.sh and deploy.sh scripts in makefile to ensure consistent execution across different environments and avoid potential PATH issues.
 2026-02-01 18:17:37 +01:00
Bryan Joshua Pedini
9a4bdf15a3 fix: update deployment workflow concurrency settings 
Configure concurrency group for website deployment workflow to prevent race conditions and ensure orderly deployment execution. The cancel-in-progress setting is set to false to maintain deployment stability.
 2026-02-01 18:16:51 +01:00
Bryan Joshua Pedini
fafafb0d37 chore: update deployment trigger from branch push to tag push 
Change deployment workflow to trigger on tag pushes instead of main branch pushes, allowing for more controlled and versioned deployments.
 2026-02-01 18:16:20 +01:00
Bryan Joshua Pedini
d0189c57a5 fix(deploy): remove docker compose restart from deployment script 
Removes the 'docker compose restart' command from the deployment script as it was causing unnecessary service interruptions during deployment. The tar extraction and cleanup steps are sufficient for updating the application files without requiring a full container restart.
 2026-02-01 18:12:28 +01:00
3 changed files with 24 additions and 21 deletions
Expand all files Collapse all files

27
.gitea/workflows/deploy.yaml
View File

@@ -1,11 +1,13 @@
---
name: Deploy website on production server when committing on main
concurrency: 1
concurrency:
group: deploy-website
cancel-in-progress: false
on:
push:
branches:
- main
tags:
- '*'
defaults:
run:
@@ -15,8 +17,6 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- run: echo "${{ secrets.SSH_PRIVATE_KEY }}" > /private.key
- run: chmod 600 /private.key
- run: |
export HUGO_VERSION=$(curl --silent -I https://github.com/gohugoio/hugo/releases/latest | grep location | sed 's|.*tag/||' | tr -d '\r')
export HUGO_VERSION_SHORT=$(echo ${HUGO_VERSION} | sed 's/v//')
@@ -25,10 +25,17 @@ jobs:
- uses: actions/checkout@v4
with:
submodules: true
- run: APP_VERSION=latest make
- run: |
export SSH_PRIVATE_KEY=/private.key
export SSH_USERNAME=${{ secrets.SSH_USERNAME }}
export DEPLOYMENT_HOST=${{ secrets.DEPLOYMENT_HOST }}
export DEPLOYMENT_PATH=${{ secrets.DEPLOYMENT_PATH }}
mkdir -p ~/.ssh/
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
make
make deploy
env:
SSH_USERNAME: ${{ vars.SSH_USERNAME }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
SSH_KNOWN_HOSTS: ${{ vars.SSH_KNOWN_HOSTS }}
DEPLOYMENT_HOST: ${{ vars.DEPLOYMENT_HOST }}
DEPLOYMENT_PATH: ${{ vars.DEPLOYMENT_PATH }}
APP_VERSION: ${{ vars.GITHUB_REF_NAME }}

14
deploy.sh
View File

@@ -5,7 +5,6 @@ set -e
# FLOW
###
#
# if the private key variable is set, prepend "-i" to it
# if the username variable is set, append the at sign to it
# if either the deployment host or deployment path variables are not set, return an error
# tarball the built website and scp it to the deployment host
@@ -13,11 +12,6 @@ set -e
# then remove everything in the data path, untar the tarball and reload the server
# finally remove the tarball, both from the remote host and locally (cleanup)
# Check if the private key variable is set
if [ ! -z "${SSH_PRIVATE_KEY}" ]; then
SSH_PRIVATE_KEY="-i ${SSH_PRIVATE_KEY}"
fi
# Check if the username variable is set
if [ ! -z "${SSH_USERNAME}" ]; then
SSH_USERNAME="${SSH_USERNAME}@"
@@ -29,14 +23,16 @@ if [ -z "${DEPLOYMENT_HOST}" ] || [ -z "${DEPLOYMENT_PATH}" ]; then
exit 1
fi
# Compress the built website and scp it to the remote host
tar -czf httpdocs.tgz -C public .
scp -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
ssh -o StrictHostKeyChecking=no ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
scp ${SSH_PRIVATE_KEY} httpdocs.tgz ${SSH_USERNAME}${DEPLOYMENT_HOST}:/tmp/httpdocs.tgz
# SSH to the remote host, cd to the deployment path, and deploy the website (delete and overwrite everything)
ssh ${SSH_PRIVATE_KEY} ${SSH_USERNAME}${DEPLOYMENT_HOST} "DEPLOYMENT_PATH=$DEPLOYMENT_PATH bash" << 'EOF'
cd ${DEPLOYMENT_PATH}
DATAPATH=$(cat .env | grep "NGINX_DATA" | sed "s/NGINX_DATA=//g")
rm -rf ${DATAPATH}/{*,.*}
tar xf /tmp/httpdocs.tgz -C ${DATAPATH}
docker compose restart
rm -f /tmp/httpdocs.tgz
EOF
rm -f httpdocs.tgz

4
makefile
View File

@@ -7,10 +7,10 @@ prep:
git submodule foreach --recursive bash -c "git checkout \$$(git remote show origin | grep HEAD | sed 's/.*\: //'); git pull"
build: prep
./version.sh
/usr/bin/env bash version.sh
deploy:
./deploy.sh
/usr/bin/env bash deploy.sh
run: prep
hugo server