unom/website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci(deploy): self-install on a blank host via clone-if-absent [skip ci]

Browse Source 
Mirror played/workflows build-deploy-game.yml so a freshly provisioned
unom-1 box self-installs the website repo on first deploy instead of
failing on a missing ~/unom-website checkout.

Before `cd ~/unom-website` the remote ssh script now:
  - installs git if absent (deploy user has NOPASSWD sudo)
  - clones the repo if ~/unom-website/.git is missing, reusing the
    existing REGISTRY_USER / REGISTRY_TOKEN secrets

Registry creds are passed into the remote shell via appleboy/ssh-action
`envs:` and consumed from the environment (docker login now uses
--password-stdin), so the token is never interpolated into the script
text / run log / process args.

Refs task #27.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-06 13:47:42 +02:00
parent 3eec9ba8b7
commit 76dabef23d
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+15 -1
View File
@@ -74,13 +74,27 @@ jobs:
steps: steps:
- name: Pull and start web - name: Pull and start web
uses: appleboy/ssh-action@v1.2.5 uses: appleboy/ssh-action@v1.2.5
env:
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
with: with:
host: ${{ secrets.DEPLOY_HOST }} host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USER }} username: ${{ secrets.DEPLOY_USER }}
port: ${{ secrets.DEPLOY_PORT }} port: ${{ secrets.DEPLOY_PORT }}
key: ${{ secrets.DEPLOY_SSH_KEY }} key: ${{ secrets.DEPLOY_SSH_KEY }}
# Pass the registry creds into the remote shell's environment so the
# `docker login`, the clone-if-absent, and the git pull below can all
# reuse them WITHOUT ever interpolating the token into the script text
# (which would land it in the run log / process args).
envs: REGISTRY_USER,REGISTRY_TOKEN
script: | script: |
docker login git.unom.io -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }} set -euo pipefail
printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
# Self-install on a blank host: make sure git exists, then clone the
# repo if it isn't already checked out (mirrors played/workflows
# build-deploy-game.yml). The deploy user has NOPASSWD sudo.
command -v git >/dev/null 2>&1 || { sudo apt-get update -qq && sudo apt-get install -y git; }
[ -d "$HOME/unom-website/.git" ] || git clone "https://${REGISTRY_USER}:${REGISTRY_TOKEN}@git.unom.io/unom/website.git" "$HOME/unom-website"
cd ~/unom-website cd ~/unom-website
git fetch origin main git fetch origin main
git reset --hard origin/main git reset --hard origin/main