nikitapozd-projects/blog-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10cd8d5c94b346f853e76c916b88ed3e50c3c065
blog-frontend/.gitea/workflows/ci.yml
Nikita Pozdniakov 10cd8d5c94
Some checks failed
CI TEST (Vault secrets) / build (push) Has been cancelled
Details
added debug logs
2026-01-27 13:23:06 +03:00

126 lines
4.2 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: CI TEST (Vault secrets)
on:
push:
branches: [ main, master ]
jobs:
build:
runs-on: [self-hosted, linux, docker]
container:
image: node:24.13-alpine3.22
steps:
- name: Checkout
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
- name: Install tools (curl, jq) with debug
shell: sh
run: |
set -euxo pipefail
echo "=== Network info ==="
ip addr || true
ip route || true
cat /etc/resolv.conf || true
echo "=== DNS test ==="
nslookup dl-cdn.alpinelinux.org || true
echo "=== HTTPS test (IPv4 only) ==="
curl -4 -v --max-time 10 https://dl-cdn.alpinelinux.org || true
echo "=== APK repositories ==="
cat /etc/apk/repositories
echo "=== APK update (verbose) ==="
apk update -v --no-progress
echo "=== Installing curl jq (verbose, no cache) ==="
APK_PROGRESS=plain apk add -v --no-cache curl jq
# - name: Install tools (curl, jq)
# run: apk add --no-cache curl jq
- name: Get Keycloak access token from Gitea secrets
env:
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
run: |
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
-d "grant_type=client_credentials" \
-d "client_id=$KEYCLOAK_CLIENT_ID" \
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "ERROR: Failed to obtain access_token from Keycloak"
echo "$TOKEN_RESPONSE" | jq .
exit 1
fi
# Не печатай токен в лог
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
run: |
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
-H "Content-Type: application/json" \
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to login to Vault via JWT"
echo "$LOGIN_RESPONSE" | jq .
exit 1
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Read secrets from Vault KV and export to env
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
run: |
# KV v2 API endpoint: /v1/<mount>/data/<path>
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
MOUNT="${VAULT_KV_PATH%%/*}"
SUBPATH="${VAULT_KV_PATH#*/}"
JSON=$(curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
# Пример: вытащим 2 ключа (замени на свои)
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
exit 1
fi
# Экспортируем в env для следующих шагов:
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
- name: Verify secrets loaded (safe)
run: |
# НЕ печатаем сами значения!
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
- name: Install deps
run: |
corepack enable
pnpm -v || true
pnpm install
- name: Build
env:
API_BASE_URL: ${{ env.API_BASE_URL }}
SENTRY_DSN: ${{ env.SENTRY_DSN }}
run: pnpm build
Reference in New Issue View Git Blame Copy Permalink