From f565b7f020a35db015bbfb649cc783726c1ff3ad Mon Sep 17 00:00:00 2001 From: Nikita Pozdniakov Date: Mon, 26 Jan 2026 14:57:59 +0300 Subject: [PATCH] Add CI workflow forto check Vault secrets integration --- .gitea/workflows/ci.yml | 103 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..9da9203 --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,103 @@ +name: CI TEST (Vault secrets) + +on: + push: + branches: [ main, master ] + +jobs: + build: + runs-on: docker + container: + image: node:24.13-alpine3.22 + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install tools (curl, jq) + run: apk add --no-cache curl jq + + - name: Get Keycloak access token from Gitea secrets + env: + KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }} + KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }} + KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }} + run: | + TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \ + -d "grant_type=client_credentials" \ + -d "client_id=$KEYCLOAK_CLIENT_ID" \ + -d "client_secret=$KEYCLOAK_CLIENT_SECRET") + + ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token') + + if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "ERROR: Failed to obtain access_token from Keycloak" + echo "$TOKEN_RESPONSE" | jq . + exit 1 + fi + + # Не печатай токен в лог + echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV" + + - name: Exchange Keycloak token for Vault token (auth/jwt/login) + env: + VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }} + VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }} + run: | + LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \ + -H "Content-Type: application/json" \ + -d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}") + + VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token') + + if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then + echo "ERROR: Failed to login to Vault via JWT" + echo "$LOGIN_RESPONSE" | jq . + exit 1 + fi + + echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV" + + - name: Read secrets from Vault KV and export to env + env: + VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }} + VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }} + run: | + # KV v2 API endpoint: /v1//data/ + # Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend + + MOUNT="${VAULT_KV_PATH%%/*}" + SUBPATH="${VAULT_KV_PATH#*/}" + + JSON=$(curl -sS \ + -H "X-Vault-Token: $VAULT_TOKEN" \ + "$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH") + + # Пример: вытащим 2 ключа (замени на свои) + API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL') + + if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then + echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH" + exit 1 + fi + + # Экспортируем в env для следующих шагов: + echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV" + echo "SENTRY_DSN=$SENTRY_DSN" >> "$GITHUB_ENV" + + - name: Verify secrets loaded (safe) + run: | + # НЕ печатаем сами значения! + echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)" + + - name: Install deps + run: | + corepack enable + pnpm -v || true + pnpm install + + - name: Build + env: + API_BASE_URL: ${{ env.API_BASE_URL }} + SENTRY_DSN: ${{ env.SENTRY_DSN }} + run: pnpm build \ No newline at end of file