Merge branch 'develop' for v2.0.2

rtCamp · May 11, 2020 · b7307c7 · b7307c7
2 parents 01df8a0 + d5a0f34
commit b7307c7
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Deploy
-      uses: rtCamp/[email protected].0
+      uses: rtCamp/[email protected].2
       env:
         SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 ```
@@ -40,10 +40,12 @@ jobs:
 
 This GitHub action's behavior can be customized using following environment variables:
 
-Variable       | Default | Possible  Values            | Purpose
----------------|---------|-----------------------------|----------------------------------------------------
-`MU_PLUGINS_URL` | null    | vip, any git repo url         | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value.
-`WP_VERSION`     | latest  | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version.
+Variable          | Default | Possible  Values            | Purpose
+------------------|---------|-----------------------------|----------------------------------------------------
+`MU_PLUGINS_URL`  | null    | vip, any git repo url         | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value.
+`WP_VERSION`      | latest  | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version.
+`JUMPHOST_SERVER` | null    | Hostname/IP address of the jumphost server | If the deployment server is not directly accessible, and needs a jumphost, then this method should be used. (Note: The `SSH_PRIVATE_KEY` env variable should have access to the jumphost as well as deployment server for this to work. Also, this method does not work with vault.)
+`SUBMODULE_DEPLOY_KEY` | null | Read access deploy key created in the submodule repo's deploy keys. | Only required for privated submodule repo. For now only one private submodule deploy key is allowed. All public submodules in repo will be fetched by default without the need of this env variable. (To create a deploy key go to: Settings > Deploy Keys > Add deploy key)
 
 
 ## Server Setup
@@ -99,7 +101,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Deploy
-      uses: rtCamp/[email protected].0
+      uses: rtCamp/[email protected].2
       env:
         VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
         VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}

diff --git a/action.yml b/action.yml
@@ -3,7 +3,7 @@ description: 'Deploy WordPress code to a server'
 author: 'rtCamp'
 runs:
   using: 'docker'
-  image: 'Dockerfile'
+  image: 'docker://rtcamp/action-deploy-wordpress:v2.0.2'
 branding:
   icon: 'upload-cloud'
   color: 'yellow'
diff --git a/main.sh b/main.sh
@@ -6,11 +6,22 @@ rsync -av "$hosts_file" /hosts.yml
 cat /hosts.yml
 
 # Check branch
-if [ "$GITHUB_REF" = "" ]; then
+if [[ "$GITHUB_REF" = "" ]]; then
     echo "\$GITHUB_REF is not set"
     exit 1
 fi
 
+# Check for SSH key if jump host is defined
+if [[ ! -z "$JUMPHOST_SERVER" ]]; then
+
+    if [[ -z "$SSH_PRIVATE_KEY" ]]; then
+        echo "Jump host configuration does not work with vault ssh signing."
+        echo "SSH_PRIVATE_KEY secret needs to be added."
+        echo "The SSH key should have access to the server as well as jumphost."
+        exit 1
+    fi
+fi
+
 match=0
 for branch in $(cat "$hosts_file" | shyaml keys); do
     [[ "$GITHUB_REF" = "refs/heads/$branch" ]] && \
@@ -50,6 +61,10 @@ if [[ -n "$SSH_PRIVATE_KEY" ]]; then
     chmod 600 "$SSH_DIR/id_rsa"
     eval "$(ssh-agent -s)"
     ssh-add "$SSH_DIR/id_rsa"
+
+    if [[ -n "$JUMPHOST_SERVER" ]]; then
+        ssh-keyscan -H "$JUMPHOST_SERVER" >> /etc/ssh/known_hosts 
+    fi
 else
     # Generate a key-pair
     ssh-keygen -t rsa -b 4096 -C "GH-actions-ssh-deploy-key" -f "$HOME/.ssh/id_rsa" -N ""
@@ -63,6 +78,9 @@ fi
 
 if [[ -n "$VAULT_ADDR" ]]; then
     vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > $HOME/.ssh/signed-cert.pub
+fi
+
+if [[ -z "$JUMPHOST_SERVER" ]]; then
 
     # Create ssh config file. `~/.ssh/config` does not work.
     cat > /etc/ssh/ssh_config <<EOL
@@ -72,6 +90,19 @@ IdentityFile ${SSH_DIR}/signed-cert.pub
 IdentityFile ${SSH_DIR}/id_rsa
 User root
 EOL
+else
+    # Create ssh config file. `~/.ssh/config` does not work.
+    cat > /etc/ssh/ssh_config <<EOL
+Host jumphost
+    HostName $JUMPHOST_SERVER
+    UserKnownHostsFile /etc/ssh/known_hosts
+
+Host $hostname
+    HostName $hostname
+    ProxyJump jumphost
+    UserKnownHostsFile /etc/ssh/known_hosts
+    User root
+EOL
 fi
 
 # Check and update submodules if any