name: CI TEST (Vault secrets) on: push: branches: [ main, master ] jobs: build: runs-on: [self-hosted, linux, docker] container: image: node:24.13-alpine3.22 steps: - name: Checkout uses: https://gitea.nikitapozd.dev/actions/checkout@v6 - name: Network smoke test run: | set -eux ip link | sed -n '1,80p' echo "--- resolv.conf ---" cat /etc/resolv.conf || true echo "--- DNS ---" nslookup dl-cdn.alpinelinux.org || true echo "--- download APKINDEX (10s) ---" wget -S -O /dev/null --timeout=10 --tries=1 \ https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz - name: Force APK to IPv4-only mirror shell: sh run: | set -eux sed -i 's|https://dl-cdn.alpinelinux.org|https://dl-4.alpinelinux.org|g' /etc/apk/repositories cat /etc/apk/repositories - name: Install tools (curl, jq) with verbose run: | set -eux export APK_PROGRESS=plain apk update -v --no-progress apk add -v --no-cache curl jq # - name: Install tools (curl, jq) with debug # shell: sh # run: | # set -euxo pipefail # # echo "=== Network info ===" # ip addr || true # ip route || true # cat /etc/resolv.conf || true # # echo "=== DNS test ===" # nslookup dl-cdn.alpinelinux.org || true # # echo "=== HTTPS test (IPv4 only) ===" # curl -4 -v --max-time 10 https://dl-cdn.alpinelinux.org || true # # echo "=== APK repositories ===" # cat /etc/apk/repositories # # echo "=== APK update (verbose) ===" # apk update -v --no-progress # # echo "=== Installing curl jq (verbose, no cache) ===" # APK_PROGRESS=plain apk add -v --no-cache curl jq # - name: Install tools (curl, jq) # run: apk add --no-cache curl jq - name: Get Keycloak access token from Gitea secrets env: KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }} KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }} KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }} run: | TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \ -d "grant_type=client_credentials" \ -d "client_id=$KEYCLOAK_CLIENT_ID" \ -d "client_secret=$KEYCLOAK_CLIENT_SECRET") ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token') if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then echo "ERROR: Failed to obtain access_token from Keycloak" echo "$TOKEN_RESPONSE" | jq . exit 1 fi # Не печатай токен в лог echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV" - name: Exchange Keycloak token for Vault token (auth/jwt/login) env: VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }} VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }} run: | LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \ -H "Content-Type: application/json" \ -d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}") VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token') if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then echo "ERROR: Failed to login to Vault via JWT" echo "$LOGIN_RESPONSE" | jq . exit 1 fi echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV" - name: Read secrets from Vault KV and export to env env: VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }} VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }} run: | # KV v2 API endpoint: /v1//data/ # Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend MOUNT="${VAULT_KV_PATH%%/*}" SUBPATH="${VAULT_KV_PATH#*/}" JSON=$(curl -sS \ -H "X-Vault-Token: $VAULT_TOKEN" \ "$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH") # Пример: вытащим 2 ключа (замени на свои) API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL') if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH" exit 1 fi # Экспортируем в env для следующих шагов: echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV" - name: Verify secrets loaded (safe) run: | # НЕ печатаем сами значения! echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)" - name: Install deps run: | corepack enable pnpm -v || true pnpm install - name: Build env: API_BASE_URL: ${{ env.API_BASE_URL }} SENTRY_DSN: ${{ env.SENTRY_DSN }} run: pnpm build