Enhance deployment workflow by adding SSH setup and secret validation checks for improved security and reliability

2025-12-16 14:24:11 +08:00
parent 8e8bfd1897
commit 73b178fa2c
1 changed files with 33 additions and 12 deletions
--- a/.gitea/workflows/deploy-dev.yml
+++ b/.gitea/workflows/deploy-dev.yml
@@ -28,6 +28,7 @@ jobs:
          docker build -t merchbay_admin:dev .
          docker save merchbay_admin:dev | gzip > merchbay_admin_dev.tar.gz

+      # 🔍 SAFE SECRET DEBUG (TEMPORARY – REMOVE LATER)
      - name: Debug secrets (safe)
        shell: sh
        run: |
@@ -35,32 +36,52 @@ jobs:

          if [ -z "${DEPLOY_SSH_KEY}" ]; then
            echo "❌ DEPLOY_SSH_KEY is EMPTY or NOT SET"
+            exit 1
          else
            echo "✅ DEPLOY_SSH_KEY is SET"
            echo "Length: ${#DEPLOY_SSH_KEY}"
-            echo "First line:"
            echo "${DEPLOY_SSH_KEY}" | head -n 1
-            echo "Last line:"
            echo "${DEPLOY_SSH_KEY}" | tail -n 1
          fi

-          if [ -z "${DEPLOY_USER}" ]; then
-            echo "❌ DEPLOY_USER is EMPTY"
-          else
-            echo "✅ DEPLOY_USER = ${DEPLOY_USER}"
-          fi
+          [ -z "${DEPLOY_USER}" ] && echo "❌ DEPLOY_USER EMPTY" && exit 1
+          [ -z "${DEPLOY_HOST}" ] && echo "❌ DEPLOY_HOST EMPTY" && exit 1

-          if [ -z "${DEPLOY_HOST}" ]; then
-            echo "❌ DEPLOY_HOST is EMPTY"
-          else
-            echo "✅ DEPLOY_HOST = ${DEPLOY_HOST}"
-          fi
+          echo "DEPLOY_USER=${DEPLOY_USER}"
+          echo "DEPLOY_HOST=${DEPLOY_HOST}"
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}

+      # 🔐 REQUIRED STEP (THIS WAS MISSING)
+      - name: Setup SSH
+        shell: sh
+        run: |
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh

+          echo "${DEPLOY_SSH_KEY}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ssh-keyscan -H ${DEPLOY_HOST} >> ~/.ssh/known_hosts
+
+          echo "SSH files:"
+          ls -l ~/.ssh
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+
+      # 🧪 OPTIONAL BUT HIGHLY RECOMMENDED (run once)
+      - name: SSH sanity check
+        shell: sh
+        run: |
+          ssh -i ~/.ssh/id_ed25519 ${DEPLOY_USER}@${DEPLOY_HOST} "whoami"
+        env:
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+
+      # 🚀 DEPLOY
      - name: Deploy to Server
        shell: sh
        run: |