forked from DashNode-Org/dashtec
-
Notifications
You must be signed in to change notification settings - Fork 0
63 lines (55 loc) · 2.3 KB
/
Copy pathdeploy.yml
File metadata and controls
63 lines (55 loc) · 2.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: Deploy
# Deploys the docker-compose stack to the Hetzner host via Ansible. The host has
# no public SSH, so the runner joins the tailnet (Tailscale) and reaches it over
# Tailscale SSH. Secrets come from GitHub Actions Secrets (no Ansible Vault).
on:
push:
branches: [main]
workflow_dispatch:
# Never let two deploys race on the same host.
concurrency:
group: deploy-production
cancel-in-progress: false
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Connect to Tailscale
uses: tailscale/github-action@v3
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
# The tailnet ACL must allow `tag:ci` to SSH to the server's tag as
# root with `action: accept` (not `check`, which needs interactivity).
tags: tag:ci
- name: Install Ansible
run: pipx install --include-deps ansible
- name: Write inventory
run: |
cat > ansible/inventory.ini <<EOF
[dashtec]
${{ vars.DEPLOY_HOST || 'dashtec-host' }} ansible_user=root
[dashtec:vars]
ansible_python_interpreter=/usr/bin/python3
EOF
- name: Run Ansible
working-directory: ansible
run: ansible-playbook site.yml
env:
ANSIBLE_HOST_KEY_CHECKING: "False"
# Per-network secrets injected into the committed config.json.
MAINNET_ETHEREUM_RPC_URL: ${{ secrets.MAINNET_ETHEREUM_RPC_URL }}
MAINNET_SENTINEL_PROXY_URL: ${{ secrets.MAINNET_SENTINEL_PROXY_URL }}
MAINNET_SESSION_PASSWORD: ${{ secrets.MAINNET_SESSION_PASSWORD }}
TESTNET_ETHEREUM_RPC_URL: ${{ secrets.TESTNET_ETHEREUM_RPC_URL }}
TESTNET_SENTINEL_PROXY_URL: ${{ secrets.TESTNET_SENTINEL_PROXY_URL }}
TESTNET_SESSION_PASSWORD: ${{ secrets.TESTNET_SESSION_PASSWORD }}
# OAuth, shared across networks (one app each). IDs are public
# (variables); secrets are sensitive.
DISCORD_CLIENT_ID: ${{ vars.DISCORD_CLIENT_ID }}
DISCORD_CLIENT_SECRET: ${{ secrets.DISCORD_CLIENT_SECRET }}
X_CLIENT_ID: ${{ vars.X_CLIENT_ID }}
X_CLIENT_SECRET: ${{ secrets.X_CLIENT_SECRET }}