nikitapozd-projects/blog-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d61a3d1a45d309b39dfff65d13bb60ea81fee54
blog-frontend/.gitea/workflows/ci.yml
Nikita Pozdniakov 9d61a3d1a4
Some checks failed
CI TEST (Vault secrets) / build (push) Failing after 1m3s
Details
IPv4 test
2026-01-27 15:20:32 +03:00

126 lines
4.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: CI TEST (Vault secrets)
on:
push:
branches: [ main, master ]
jobs:
build:
runs-on: ubuntu-latest
container:
image: node:24.13.0-bookworm
steps:
- name: Checkout
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
- name: Install tools (curl, jq) with hard timeouts
shell: bash
run: |
set -euxo pipefail
# Диагностика куда резолвится:
getent ahosts deb.debian.org || true
# apt: только IPv4 + короткие таймауты + минимум ретраев
timeout 60s apt-get update \
-o Acquire::ForceIPv4=true \
-o Acquire::Retries=1 \
-o Acquire::http::Timeout=10 \
-o Acquire::https::Timeout=10
timeout 60s apt-get install -y curl jq \
-o Acquire::ForceIPv4=true \
-o Acquire::Retries=1 \
-o Acquire::http::Timeout=10 \
-o Acquire::https::Timeout=10
- name: Install tools (curl, jq) with timeout
run: |
set -eux
timeout 30s apt-get update
timeout 30s apt-get install -y curl jq
- name: Get Keycloak access token from Gitea secrets
env:
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
run: |
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
-d "grant_type=client_credentials" \
-d "client_id=$KEYCLOAK_CLIENT_ID" \
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "ERROR: Failed to obtain access_token from Keycloak"
echo "$TOKEN_RESPONSE" | jq .
exit 1
fi
# Не печатай токен в лог
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
run: |
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
-H "Content-Type: application/json" \
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to login to Vault via JWT"
echo "$LOGIN_RESPONSE" | jq .
exit 1
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Read secrets from Vault KV and export to env
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
run: |
# KV v2 API endpoint: /v1/<mount>/data/<path>
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
MOUNT="${VAULT_KV_PATH%%/*}"
SUBPATH="${VAULT_KV_PATH#*/}"
JSON=$(curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
# Пример: вытащим 2 ключа (замени на свои)
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
exit 1
fi
# Экспортируем в env для следующих шагов:
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
- name: Verify secrets loaded (safe)
run: |
# НЕ печатаем сами значения!
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
- name: Install deps
run: |
corepack enable
pnpm -v || true
pnpm install
- name: Build
env:
API_BASE_URL: ${{ env.API_BASE_URL }}
SENTRY_DSN: ${{ env.SENTRY_DSN }}
run: pnpm build
Reference in New Issue View Git Blame Copy Permalink