Switch deploy to SSH; remove broken volume-mount approach

2026-06-20 23:29:50 -04:00
parent 65ec13725b
commit 446f378956
1 changed files with 23 additions and 8 deletions
@@ -7,9 +7,14 @@ name: Deploy static site to devfarm
 #   jobs:
 #     deploy:
 #       uses: ringmaster/actions/.gitea/workflows/deploy-static.yml@main
+#       secrets: inherit
 #       with:
 #         site: myapp          # → https://myapp.dev.clubbabyseal.com
 #         build-command: npm run build
+#
+# Required secret (user-level in Gitea → Settings → Actions → Secrets):
+#   DEPLOY_SSH_KEY — private half of the gitea-ci-deploy key pair.
+#   Public key must be in /boot/config/ssh/authorized_keys on the NAS.

 on:
  workflow_call:
@@ -41,14 +46,14 @@ on:
        required: false
        default: .
        type: string
+    secrets:
+      DEPLOY_SSH_KEY:
+        required: true
+        description: SSH private key for the gitea-ci-deploy key pair.

 jobs:
  deploy:
    runs-on: ubuntu-latest
-    container:
-      image: gitea/runner-images:ubuntu-latest
-      volumes:
-        - /mnt/user/devsites:/mnt/user/devsites

    steps:
      - uses: actions/checkout@v4
@@ -63,19 +68,29 @@ jobs:
        run: ${{ inputs.build-command }}

      - name: Deploy to devfarm
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          SITE="${{ inputs.site }}"
          SRC="${{ inputs.working-directory }}/${{ inputs.dist-dir }}"
          TARGET="/mnt/user/devsites/${SITE}/dist"
+          NAS="192.168.2.117"

-          # Validate site name: alphanumeric + hyphens only, no path traversal.
          if ! echo "$SITE" | grep -qE '^[a-z0-9-]+$'; then
            echo "ERROR: site name must match [a-z0-9-]+"
            exit 1
          fi

-          mkdir -p "$TARGET"
-          rm -rf "${TARGET:?}/"* 2>/dev/null || true
-          cp -a "${SRC}/." "${TARGET}/"
+          mkdir -p ~/.ssh
+          echo "$DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+          ssh-keyscan -H "$NAS" >> ~/.ssh/known_hosts 2>/dev/null
+
+          ssh -i ~/.ssh/deploy_key "root@${NAS}" "mkdir -p '${TARGET}'"
+          tar -C "${SRC}" -czf - . \
+            | ssh -i ~/.ssh/deploy_key "root@${NAS}" \
+                "rm -rf '${TARGET:?}'/* 2>/dev/null; tar -C '${TARGET}' -xzf -"
+          rm -f ~/.ssh/deploy_key
+
          echo "Deployed $SRC → $TARGET"
          echo "Live at: https://${SITE}.dev.clubbabyseal.com"