Michael Schiemer
aabb5a82fe
- Fix checkout URLs in update-production-secrets.yml - Fix checkout URLs in security-scan.yml - Fix checkout URLs in test-registry.yml - Change from repository.michaelschiemer.de:5000 to git.michaelschiemer.de
90 lines
2.7 KiB
YAML
90 lines
2.7 KiB
YAML
name: Update Production Secrets
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
vault_password:
|
|
description: 'Ansible Vault Password'
|
|
required: true
|
|
type: password
|
|
|
|
env:
|
|
DEPLOYMENT_HOST: 94.16.110.151
|
|
|
|
jobs:
|
|
deploy-secrets:
|
|
name: Deploy Secrets to Production
|
|
runs-on: php-ci # Uses pre-built PHP 8.5 CI image with Ansible
|
|
environment:
|
|
name: production-secrets
|
|
url: https://michaelschiemer.de
|
|
|
|
steps:
|
|
- name: Checkout deployment configuration
|
|
run: |
|
|
REF_NAME="${{ github.ref_name }}"
|
|
REPO="${{ github.repository }}"
|
|
if [ -z "$REF_NAME" ]; then
|
|
REF_NAME="main"
|
|
fi
|
|
|
|
if [ -n "${{ secrets.CI_TOKEN }}" ]; then
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
else
|
|
git clone --depth 1 --branch "$REF_NAME" \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo || \
|
|
git clone --depth 1 \
|
|
"https://git.michaelschiemer.de/${REPO}.git" \
|
|
/workspace/repo
|
|
fi
|
|
|
|
cd /workspace/repo
|
|
|
|
- name: Setup SSH key
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
|
|
chmod 600 ~/.ssh/production
|
|
ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts
|
|
|
|
# Ansible is pre-installed in php-ci image
|
|
- name: Verify Ansible installation
|
|
run: ansible --version
|
|
|
|
- name: Create vault password file
|
|
run: |
|
|
echo "${{ github.event.inputs.vault_password }}" > /tmp/.vault_pass
|
|
chmod 600 /tmp/.vault_pass
|
|
|
|
- name: Deploy secrets via Ansible
|
|
run: |
|
|
cd deployment/ansible
|
|
ansible-playbook -i inventory/production.yml \
|
|
playbooks/setup-production-secrets.yml \
|
|
--vault-password-file /tmp/.vault_pass
|
|
|
|
- name: Cleanup vault password
|
|
if: always()
|
|
run: |
|
|
rm -f /tmp/.vault_pass
|
|
|
|
- name: Verify secrets deployment
|
|
run: |
|
|
ssh -i ~/.ssh/production deploy@${{ env.DEPLOYMENT_HOST }} \
|
|
"docker secret ls && test -f /home/deploy/secrets/.env.production"
|
|
|
|
- name: Notify deployment success
|
|
if: success()
|
|
run: |
|
|
echo "✅ Secrets deployed successfully to production"
|
|
echo "Services will be restarted automatically"
|
|
|
|
- name: Notify deployment failure
|
|
if: failure()
|
|
run: |
|
|
echo "❌ Secrets deployment failed"
|
|
echo "Check Ansible logs for details"
|