nikitapozd-projects/blog-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4343d530adaa143dc99103ae99a586f73f86294
blog-frontend/.gitea/workflows/ci.yml
Nikita Pozdniakov a4343d530a
Some checks failed
CI TEST (Vault secrets) / build (push) Failing after 17s
Details
check network host
2026-01-27 13:42:10 +03:00

156 lines
5.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: CI TEST (Vault secrets)
on:
push:
branches: [ main, master ]
jobs:
build:
runs-on: [self-hosted, linux, docker]
container:
image: node:24.13-alpine3.22
options: --network host
steps:
- name: Checkout
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
- name: Network smoke test
run: |
set -eux
ip link | sed -n '1,80p'
echo "--- resolv.conf ---"
cat /etc/resolv.conf || true
echo "--- DNS ---"
nslookup dl-cdn.alpinelinux.org || true
echo "--- download APKINDEX (10s) ---"
wget -S -O /dev/null --timeout=10 --tries=1 \
https://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
- name: Force APK to IPv4-only mirror
shell: sh
run: |
set -eux
sed -i 's|https://dl-cdn.alpinelinux.org|https://dl-4.alpinelinux.org|g' /etc/apk/repositories
cat /etc/apk/repositories
- name: Install tools (curl, jq) with verbose
run: |
set -eux
export APK_PROGRESS=plain
apk update -v --no-progress
apk add -v --no-cache curl jq
# - name: Install tools (curl, jq) with debug
# shell: sh
# run: |
# set -euxo pipefail
#
# echo "=== Network info ==="
# ip addr || true
# ip route || true
# cat /etc/resolv.conf || true
#
# echo "=== DNS test ==="
# nslookup dl-cdn.alpinelinux.org || true
#
# echo "=== HTTPS test (IPv4 only) ==="
# curl -4 -v --max-time 10 https://dl-cdn.alpinelinux.org || true
#
# echo "=== APK repositories ==="
# cat /etc/apk/repositories
#
# echo "=== APK update (verbose) ==="
# apk update -v --no-progress
#
# echo "=== Installing curl jq (verbose, no cache) ==="
# APK_PROGRESS=plain apk add -v --no-cache curl jq
# - name: Install tools (curl, jq)
# run: apk add --no-cache curl jq
- name: Get Keycloak access token from Gitea secrets
env:
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
run: |
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
-d "grant_type=client_credentials" \
-d "client_id=$KEYCLOAK_CLIENT_ID" \
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "ERROR: Failed to obtain access_token from Keycloak"
echo "$TOKEN_RESPONSE" | jq .
exit 1
fi
# Не печатай токен в лог
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
run: |
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
-H "Content-Type: application/json" \
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to login to Vault via JWT"
echo "$LOGIN_RESPONSE" | jq .
exit 1
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Read secrets from Vault KV and export to env
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
run: |
# KV v2 API endpoint: /v1/<mount>/data/<path>
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
MOUNT="${VAULT_KV_PATH%%/*}"
SUBPATH="${VAULT_KV_PATH#*/}"
JSON=$(curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
# Пример: вытащим 2 ключа (замени на свои)
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
exit 1
fi
# Экспортируем в env для следующих шагов:
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
- name: Verify secrets loaded (safe)
run: |
# НЕ печатаем сами значения!
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
- name: Install deps
run: |
corepack enable
pnpm -v || true
pnpm install
- name: Build
env:
API_BASE_URL: ${{ env.API_BASE_URL }}
SENTRY_DSN: ${{ env.SENTRY_DSN }}
run: pnpm build
Reference in New Issue View Git Blame Copy Permalink