Open inBytes opened 2 months ago
@inBytes
point no 2,
you can keep use passphrase for more stronger security, and when pulling you can utilize github token on your workflow
git pull https://${{ github.actor }}:${{ github.token }}@github.com/${{ github.repository }}.git main
above are default env var when you use github action
Hi there @stephanvebrian !!
Thank you for your suggestion.
If you read the next Heading after 2) I swear to you that I tried using passphrase
both with ed25519 key
and rsa key
with no success.
At least with SSH, that was my chosen path.
Using HTTPS (as far as I read) required me to use a token that has to be updated for a given period of time, that was not my ideal approach (I wanted to setup once and forget it).
yes @inBytes that was my setup also- not plannign to setup PAT token for each repository, but here is a magic part.
if you see this url
https://${{ github.actor }}:${{ github.token }}@github.com/${{ github.repository }}.git
it used github.*
secrets, which is a default variable in each repository (https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables), so you dont have to setup any additional token except the ssh and passphrase that will be used for login into your machine
Sorry for the delay in replying @stephanvebrian, I'm a father of two in addition to owning a business, and didn't have time for this side project.
I still don't get your point. In the link you are sharing with me (https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables) I see a section with Default environment variables where I see:
But I don't see any "default" GITHUB_TOKEN. In fact, they don't mention the word "token" in all the text for that documentation page.
I don't want to bother you or waste your time, but if it's a simple thing, just tell me. Otherwise let it be, as I have it running the way I told you above.
Thank you anyway!!
Hi @barthofu @Mr-Artemus !!
I've been struggling very hard with CI/CD last weeks in order to be able to automatically deploy my bot to my VPS when pushing to my
Features
branch at GitHubThere are two important issues I think you should include in your documentation about CI/CD: 1) First is about
Actions permissions
. 2) Second is about doing a pull usinggit pull https://github.com/<your_github_user>/<your_github_project>.git main
1) Actions Permissions
By default, for your GitHub project, in
Settings > Actions > General > Actions permissions
you'll have this option selected:Allow <your_github_user> actions and reusable workflows
This prevents you from using the
deploy.yml
action with this error:appleboy/ssh-action@master is not allowed to be used in <your_github_user>/<your_github_project>. Actions in this workflow must be: within a repository owned by <your_github_user>.
For being able to use external repositories inside your actions, you must set the
Settings > Actions > General > Actions permissions
to this:Allow all actions and reusable workflows
:thumbsup:2) Git pull from your VPS
If you try to do a pull from your VPS using
git pull https://github.com/<your_github_user>/<your_github_project>.git main
you'll get a prompt for inserting your GitHub user/passwordBut even if, in your deploy action, you insert your GitHub user/password in your HTTPS request like this:
git pull https://${{ secrets.GITHUB_USERNAME }}:${{ secrets.GITHUB_PASSWORD }}@github.com/<your_github_user>/<your_github_project>.git main
, you'll finally get this error:I'm not going to go into this subject in depth, but if you want to go through the HTTPS request path, instead of using your GitHub password, you must create a Personal access TOKEN
The other option (the one I chose !!) is using SSH against GitHub in order to do a pull from your VPS. Like this:
git pull git@github.com:<your_github_user>/<your_github_project>.git Features
:thumbsup:That would be the two points I would add to your documentation
But... here is where the fun begins
This is because to make this work:
git pull git@github.com:<your_github_user>/<your_github_project>.git Features
I have had to go through HELL :japanese_goblin: because of the limitations of the different components of this integration. Here is the summary:deploy.yml
action, using my VPS user/password: :x:deploy.yml
action, using my VPS user/ed25519 key/passphrase: :x:deploy.yml
action, using my VPS user/ed25519 key/NO passphrase: :x:deploy.yml
action, using my VPS user/rsa key/passphrase: :x:deploy.yml
action, using my VPS user/rsa key/NO passphrase: :white_check_mark:The limitations seem to be these:
appleboy/ssh-action@master
repository, doesn't seem to be able to deal with passphrases for keys (read this issue) ( :man_facepalming: even whenappleboy
claims to have added support to passphrase to his repository :man_facepalming: )My VPS Linux Setup
So, if someone wants to do the same CI/CD I did on my
Almalinux v9
(maybe you'll have to change something if you are on another distro), you'll have to do this: NOTE: replace<my_user>
,<my_user_password>
,my@email.com
,<my_VPS_IP>
and<my_VPS_SSH_port>
with your own data1) Log in to your VPS as
root
2) Run this instructions to create a user in which you'll run your bot:3) Create an RSA Key with NO passphrase and add it to
authorized_keys
file:4) Add your PUBLIC key to GitHub:
cat /home/<my_user>/.ssh/id_rsa.pub
>This will allow you to communicate with GitHub using git from your VPS
5) On GitHub, go to the section Settings > Secrets and variables > Actions > Secrets and create the following entries:
cat /home/<my_user>/.ssh/id_rsa
>6) On your VPS; edit _knownhosts file: Edit the file _/home//.ssh/knownhosts
nano /home/<my_user>/.ssh/known_hosts
...and fill it with the next content:
7) Add the key to your SSH agent and clone the repository:
It should give you something similar to the following output:
VERY IMPORTANT: if at some point something is not working as it should you can test what can be failing running this command:
ssh -vT git@github.com
You'll get a complete diagnosis about the SSH connection8) Finally I changed the
deploy.yml
to this:You can notice the following issues:
build.yml
execution and dependencybuild.yml
action is to DO THE SETUP for the project in a local-to-GitHub Ubuntu virtual machine to test if everything is right from aneslint
point of viewsecrets.PROJECT_PATH
including it directly on thescript
part, and it's running well :man_shrugging: