From dbb44155c2d351c6352bbd207876c7a14a43afd5 Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Fri, 21 Feb 2020 16:08:33 +0530 Subject: [PATCH 1/7] Add option to use jumphost server Signed-off-by: Riddhesh Sanghvi --- main.sh | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/main.sh b/main.sh index 4a3054d..a492d6f 100755 --- a/main.sh +++ b/main.sh @@ -6,11 +6,22 @@ rsync -av "$hosts_file" /hosts.yml cat /hosts.yml # Check branch -if [ "$GITHUB_REF" = "" ]; then +if [[ "$GITHUB_REF" = "" ]]; then echo "\$GITHUB_REF is not set" exit 1 fi +# Check for SSH key if jump host is defined +if [[ ! -z "$JUMPHOST_SERVER" ]]; then + + if [[ -z "$SSH_PRIVATE_KEY" ]]; then + echo "Jump host configuration does not work with vault ssh signing." + echo "SSH_PRIVATE_KEY secret needs to be added." + echo "Add SSH key to that gives access to the server as well as jumphost." + exit 1 + fi +fi + match=0 for branch in $(cat "$hosts_file" | shyaml keys); do [[ "$GITHUB_REF" = "refs/heads/$branch" ]] && \ @@ -50,6 +61,10 @@ if [[ -n "$SSH_PRIVATE_KEY" ]]; then chmod 600 "$SSH_DIR/id_rsa" eval "$(ssh-agent -s)" ssh-add "$SSH_DIR/id_rsa" + + if [[ -n "$JUMPHOST_SERVER" ]]; then + ssh-keyscan -H "$JUMPHOST_SERVER" >> /etc/ssh/known_hosts + fi else # Generate a key-pair ssh-keygen -t rsa -b 4096 -C "GH-actions-ssh-deploy-key" -f "$HOME/.ssh/id_rsa" -N "" @@ -63,6 +78,9 @@ fi if [[ -n "$VAULT_ADDR" ]]; then vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > $HOME/.ssh/signed-cert.pub +fi + +if [[ -z "$JUMPHOST_SERVER" ]]; then # Create ssh config file. `~/.ssh/config` does not work. cat > /etc/ssh/ssh_config < /etc/ssh/ssh_config < Date: Fri, 21 Feb 2020 17:07:10 +0530 Subject: [PATCH 2/7] Update error message Signed-off-by: Riddhesh Sanghvi --- main.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.sh b/main.sh index a492d6f..5919e7f 100755 --- a/main.sh +++ b/main.sh @@ -17,7 +17,7 @@ if [[ ! -z "$JUMPHOST_SERVER" ]]; then if [[ -z "$SSH_PRIVATE_KEY" ]]; then echo "Jump host configuration does not work with vault ssh signing." echo "SSH_PRIVATE_KEY secret needs to be added." - echo "Add SSH key to that gives access to the server as well as jumphost." + echo "The SSH key should have access to the server as well as jumphost." exit 1 fi fi From f68cfe143fcd831e7e949334b0fc962e46072927 Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Fri, 21 Feb 2020 17:11:00 +0530 Subject: [PATCH 3/7] Update readme Signed-off-by: Riddhesh Sanghvi --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c9df0f3..d2652b7 100644 --- a/README.md +++ b/README.md @@ -40,10 +40,11 @@ jobs: This GitHub action's behavior can be customized using following environment variables: -Variable | Default | Possible Values | Purpose ----------------|---------|-----------------------------|---------------------------------------------------- -`MU_PLUGINS_URL` | null | vip, any git repo url | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value. -`WP_VERSION` | latest | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version. +Variable | Default | Possible Values | Purpose +------------------|---------|-----------------------------|---------------------------------------------------- +`MU_PLUGINS_URL` | null | vip, any git repo url | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value. +`WP_VERSION` | latest | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version. +`JUMPHOST_SERVER` | null | Hostname/IP address of the jumphost server | If the deployment server is not directly accessible, and needs a jumphost, then this method should be used. (Note: The `SSH_PRIVATE_KEY` env variable should have access to the jumphost as well as deployment server for this to work. Also, this method does not work with vault.) ## Server Setup From 235356f54118b6039b7150199cbb85836ae7dc63 Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Thu, 26 Mar 2020 18:08:25 +0530 Subject: [PATCH 4/7] Add submodule deploy key env documentation Signed-off-by: Riddhesh Sanghvi --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d2652b7..122fc46 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ Variable | Default | Possible Values | Purpose `MU_PLUGINS_URL` | null | vip, any git repo url | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value. `WP_VERSION` | latest | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version. `JUMPHOST_SERVER` | null | Hostname/IP address of the jumphost server | If the deployment server is not directly accessible, and needs a jumphost, then this method should be used. (Note: The `SSH_PRIVATE_KEY` env variable should have access to the jumphost as well as deployment server for this to work. Also, this method does not work with vault.) +`SUBMODULE_DEPLOY_KEY` | null | Read access deploy key created in the submodule repo's deploy keys. | Only required for privated submodule repo. For now only one private submodule deploy key is allowed. All public submodules in repo will be fetched by default without the need of this env variable. ## Server Setup From d79ee7b6d95b9da49e0a9f9c0efad066fceb9d2f Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Thu, 26 Mar 2020 18:10:38 +0530 Subject: [PATCH 5/7] Add steps to create deploy key Signed-off-by: Riddhesh Sanghvi --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 122fc46..eba0f3b 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Variable | Default | Possible Values | Purpose `MU_PLUGINS_URL` | null | vip, any git repo url | If value is `vip`, then action will clone [VIP's MU plugins](https://github.com/Automattic/vip-mu-plugins-public) as `mu-plugins` folder. If you want to specifiy a non-VIP mu-plugins repo, you can provide a publicly accessible mu-plugins repo URL as the value. `WP_VERSION` | latest | Any valid WordPress version | If you specify a WordPress version, then that speicifc WordPress version will be downloaded, instead of latest WordPress version. `JUMPHOST_SERVER` | null | Hostname/IP address of the jumphost server | If the deployment server is not directly accessible, and needs a jumphost, then this method should be used. (Note: The `SSH_PRIVATE_KEY` env variable should have access to the jumphost as well as deployment server for this to work. Also, this method does not work with vault.) -`SUBMODULE_DEPLOY_KEY` | null | Read access deploy key created in the submodule repo's deploy keys. | Only required for privated submodule repo. For now only one private submodule deploy key is allowed. All public submodules in repo will be fetched by default without the need of this env variable. +`SUBMODULE_DEPLOY_KEY` | null | Read access deploy key created in the submodule repo's deploy keys. | Only required for privated submodule repo. For now only one private submodule deploy key is allowed. All public submodules in repo will be fetched by default without the need of this env variable. (To create a deploy key go to: Settings > Deploy Keys > Add deploy key) ## Server Setup From 4e7141fc8f2f30742c1bc3a1b47b8e9229428c12 Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Mon, 11 May 2020 12:35:14 +0530 Subject: [PATCH 6/7] Run action directly from docker image Signed-off-by: Riddhesh Sanghvi --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index abb699a..1b9a407 100644 --- a/action.yml +++ b/action.yml @@ -3,7 +3,7 @@ description: 'Deploy WordPress code to a server' author: 'rtCamp' runs: using: 'docker' - image: 'Dockerfile' + image: 'docker://rtcamp/action-deploy-wordpress:v2.0.2' branding: icon: 'upload-cloud' color: 'yellow' From 852490d8e1b69b511a51f5c6b1496ffd1db6aad0 Mon Sep 17 00:00:00 2001 From: Riddhesh Sanghvi Date: Mon, 11 May 2020 12:36:23 +0530 Subject: [PATCH 7/7] Update versions for new release Signed-off-by: Riddhesh Sanghvi --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index eba0f3b..e92d2de 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Deploy - uses: rtCamp/action-deploy-wordpress@v2.0.0 + uses: rtCamp/action-deploy-wordpress@v2.0.2 env: SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} ``` @@ -101,7 +101,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Deploy - uses: rtCamp/action-deploy-wordpress@v2.0.0 + uses: rtCamp/action-deploy-wordpress@v2.0.2 env: VAULT_ADDR: ${{ secrets.VAULT_ADDR }} VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}