yay security bro #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/deploy.yml | |
| name: Deploy site | |
| on: | |
| push: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| # Avoid overlapping deploys on the same branch | |
| concurrency: | |
| group: deploy-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| deploy: | |
| # Secrets aren't available to PRs from forks; skip to avoid failures. | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| # Pin to your project’s version if you have an "engines.node" in package.json | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Start ssh-agent and add key | |
| # Expects your OpenSSH private key in: Settings → Secrets and variables → Actions → New repository secret | |
| # Name it SSH_PRIVATE_KEY | |
| env: | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| run: | | |
| set -euo pipefail | |
| eval "$(ssh-agent -s)" | |
| # Write key to a file with correct permissions, then add to agent | |
| mkdir -p ~/.ssh | |
| chmod 700 ~/.ssh | |
| echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ci | |
| chmod 600 ~/.ssh/id_ci | |
| ssh-add ~/.ssh/id_ci | |
| - name: Run deploy script | |
| env: | |
| # If your script relies on any env vars, export them here. | |
| # Example: NODE_ENV=production | |
| NODE_ENV: production | |
| SSH_OPTIONS: | | |
| Host * | |
| StrictHostKeyChecking no | |
| UserKnownHostsFile /dev/null | |
| IdentitiesOnly yes | |
| PreferredAuthentications publickey | |
| IdentityFile ~/.ssh/id_ci | |
| BatchMode yes | |
| run: | | |
| set -euo pipefail | |
| bash ./deploy.sh | |