nikitapozd-projects/blog-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b4ade8bd44e9a3811bb8325d5d0f21b1688db7a3
blog-frontend/.gitea/workflows/ci.yml
Nikita Pozdniakov b4ade8bd44
Some checks failed
CI TEST (Vault secrets) / build (push) Has been cancelled
Details
Add timeout and retries to tool installation in CI
2026-01-27 15:07:46 +03:00

108 lines
3.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: CI TEST (Vault secrets)
on:
push:
branches: [ main, master ]
jobs:
build:
runs-on: ubuntu-latest
container:
image: node:24.13-alpine3.22
steps:
- name: Checkout
uses: https://gitea.nikitapozd.dev/actions/checkout@v6
- name: Install tools (curl, jq) with timeout
run: |
set -eux
export APK_TIMEOUT=10
export APK_RETRIES=1
export APK_PROGRESS=plain
apk update -v
apk add --no-cache curl jq
- name: Get Keycloak access token from Gitea secrets
env:
KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
run: |
TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
-d "grant_type=client_credentials" \
-d "client_id=$KEYCLOAK_CLIENT_ID" \
-d "client_secret=$KEYCLOAK_CLIENT_SECRET")
ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "ERROR: Failed to obtain access_token from Keycloak"
echo "$TOKEN_RESPONSE" | jq .
exit 1
fi
# Не печатай токен в лог
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
- name: Exchange Keycloak token for Vault token (auth/jwt/login)
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
run: |
LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
-H "Content-Type: application/json" \
-d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")
VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
echo "ERROR: Failed to login to Vault via JWT"
echo "$LOGIN_RESPONSE" | jq .
exit 1
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Read secrets from Vault KV and export to env
env:
VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
run: |
# KV v2 API endpoint: /v1/<mount>/data/<path>
# Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
MOUNT="${VAULT_KV_PATH%%/*}"
SUBPATH="${VAULT_KV_PATH#*/}"
JSON=$(curl -sS \
-H "X-Vault-Token: $VAULT_TOKEN" \
"$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")
# Пример: вытащим 2 ключа (замени на свои)
API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')
if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
exit 1
fi
# Экспортируем в env для следующих шагов:
echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"
- name: Verify secrets loaded (safe)
run: |
# НЕ печатаем сами значения!
echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"
- name: Install deps
run: |
corepack enable
pnpm -v || true
pnpm install
- name: Build
env:
API_BASE_URL: ${{ env.API_BASE_URL }}
SENTRY_DSN: ${{ env.SENTRY_DSN }}
run: pnpm build
Reference in New Issue View Git Blame Copy Permalink