nikitapozd-projects/blog-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71f2dc838162b484b8a957cd4f7919daa9d8c0ad
blog-frontend/.gitea/workflows/ci.yml
Nikita Pozdniakov 71f2dc8381
Some checks failed
CI TEST (Vault secrets) / build (push) Failing after 10s
Details
timeout up to 35 2
2026-01-27 16:04:09 +03:00

105 lines
3.5 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: CI TEST (Vault secrets)
on:
push:
branches: [ main, master ]
jobs:
build:
runs-on: ubuntu-latest
container:
image: node:24.13-alpine3.22
steps:
- name: Checkout
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
- name: Install tools (curl, jq)
run: |
set -euxo pipefail
timeout 35s apk update \
timeout 35s apk add --no-cache curl jq
- name: Get Keycloak access token from Gitea secrets
env:
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
run: |
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
-d "grant_type=client_credentials" \
-d "client_id=$KEYCLOAK_CLIENT_ID" \
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "ERROR: Failed to obtain access_token from Keycloak"
echo "$TOKEN_RESPONSE" | jq .
exit 1
fi
# Не печатай токен в лог
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
run: |
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
-H "Content-Type: application/json" \
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to login to Vault via JWT"
echo "$LOGIN_RESPONSE" | jq .
exit 1
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Read secrets from Vault KV and export to env
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
run: |
# KV v2 API endpoint: /v1/<mount>/data/<path>
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
MOUNT="${VAULT_KV_PATH%%/*}"
SUBPATH="${VAULT_KV_PATH#*/}"
JSON=$(curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
# Пример: вытащим 2 ключа (замени на свои)
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
exit 1
fi
# Экспортируем в env для следующих шагов:
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
- name: Verify secrets loaded (safe)
run: |
# НЕ печатаем сами значения!
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
- name: Install deps
run: |
corepack enable
pnpm -v || true
pnpm install
- name: Build
env:
API_BASE_URL: ${{ env.API_BASE_URL }}
SENTRY_DSN: ${{ env.SENTRY_DSN }}
run: pnpm build
Reference in New Issue View Git Blame Copy Permalink