140 lines
5.0 KiB
YAML
140 lines
5.0 KiB
YAML
name: CI TEST (Vault secrets)
|
||
|
||
on:
|
||
push:
|
||
branches: [ main, master ]
|
||
|
||
jobs:
|
||
build:
|
||
runs-on: ubuntu-latest
|
||
container:
|
||
image: node:24.13.0-bookworm
|
||
|
||
steps:
|
||
- name: Checkout
|
||
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
|
||
|
||
- name: Force APT repos to HTTPS + debug
|
||
shell: bash
|
||
run: |
|
||
set -euxo pipefail
|
||
|
||
echo "== sources before =="
|
||
(cat /etc/apt/sources.list || true)
|
||
(ls -la /etc/apt/sources.list.d || true)
|
||
(cat /etc/apt/sources.list.d/*.list 2>/dev/null || true)
|
||
|
||
# Replace http -> https
|
||
sed -i 's|http://deb.debian.org|https://deb.debian.org|g' /etc/apt/sources.list || true
|
||
sed -i 's|http://security.debian.org|https://security.debian.org|g' /etc/apt/sources.list || true
|
||
sed -i 's|http://deb.debian.org|https://deb.debian.org|g' /etc/apt/sources.list.d/*.list 2>/dev/null || true
|
||
sed -i 's|http://security.debian.org|https://security.debian.org|g' /etc/apt/sources.list.d/*.list 2>/dev/null || true
|
||
|
||
echo "== sources after =="
|
||
(cat /etc/apt/sources.list || true)
|
||
(cat /etc/apt/sources.list.d/*.list 2>/dev/null || true)
|
||
|
||
- name: Install tools (curl, jq) with hard timeouts (HTTPS)
|
||
shell: bash
|
||
run: |
|
||
set -euxo pipefail
|
||
|
||
timeout 90s apt-get update \
|
||
-o Acquire::ForceIPv4=true \
|
||
-o Acquire::Retries=1 \
|
||
-o Acquire::https::Timeout=10
|
||
|
||
timeout 90s apt-get install -y --no-install-recommends ca-certificates curl jq \
|
||
-o Acquire::ForceIPv4=true \
|
||
-o Acquire::Retries=1 \
|
||
-o Acquire::https::Timeout=10
|
||
|
||
- name: Install tools (curl, jq) with timeout
|
||
run: |
|
||
set -eux
|
||
timeout 30s apt-get update
|
||
timeout 30s apt-get install -y curl jq
|
||
|
||
- name: Get Keycloak access token from Gitea secrets
|
||
env:
|
||
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
|
||
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
|
||
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
|
||
run: |
|
||
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
|
||
-d "grant_type=client_credentials" \
|
||
-d "client_id=$KEYCLOAK_CLIENT_ID" \
|
||
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
|
||
|
||
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
|
||
|
||
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
|
||
echo "ERROR: Failed to obtain access_token from Keycloak"
|
||
echo "$TOKEN_RESPONSE" | jq .
|
||
exit 1
|
||
fi
|
||
|
||
# Не печатай токен в лог
|
||
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
|
||
|
||
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
|
||
env:
|
||
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
|
||
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
|
||
run: |
|
||
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
|
||
-H "Content-Type: application/json" \
|
||
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
|
||
|
||
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
|
||
|
||
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
|
||
echo "ERROR: Failed to login to Vault via JWT"
|
||
echo "$LOGIN_RESPONSE" | jq .
|
||
exit 1
|
||
fi
|
||
|
||
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
|
||
|
||
- name: Read secrets from Vault KV and export to env
|
||
env:
|
||
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
|
||
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
|
||
run: |
|
||
# KV v2 API endpoint: /v1/<mount>/data/<path>
|
||
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
|
||
|
||
MOUNT="${VAULT_KV_PATH%%/*}"
|
||
SUBPATH="${VAULT_KV_PATH#*/}"
|
||
|
||
JSON=$(curl -sS \
|
||
-H "X-Vault-Token: $VAULT_TOKEN" \
|
||
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
|
||
|
||
# Пример: вытащим 2 ключа (замени на свои)
|
||
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
|
||
|
||
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
|
||
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
|
||
exit 1
|
||
fi
|
||
|
||
# Экспортируем в env для следующих шагов:
|
||
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
|
||
|
||
- name: Verify secrets loaded (safe)
|
||
run: |
|
||
# НЕ печатаем сами значения!
|
||
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
|
||
|
||
- name: Install deps
|
||
run: |
|
||
corepack enable
|
||
pnpm -v || true
|
||
pnpm install
|
||
|
||
- name: Build
|
||
env:
|
||
API_BASE_URL: ${{ env.API_BASE_URL }}
|
||
SENTRY_DSN: ${{ env.SENTRY_DSN }}
|
||
run: pnpm build |