77 lines
2.5 KiB
YAML
77 lines
2.5 KiB
YAML
name: deploy
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Install SSH client
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y --no-install-recommends openssh-client
|
|
|
|
- name: Setup SSH
|
|
run: |
|
|
mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
|
printf '%s\n' "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
|
|
chmod 644 ~/.ssh/known_hosts
|
|
|
|
- name: Deploy to web.hhivp.com
|
|
run: |
|
|
ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'
|
|
set -euo pipefail
|
|
REPO_URL="ssh://git@git.striker.su:2222/striker/anotherreflections-website-v2.git"
|
|
DEPLOY_PATH="/opt/docker/sites/anotherreflections-ru-v2"
|
|
HEALTH_URL="http://127.0.0.1:4084/"
|
|
|
|
if [ ! -d "$DEPLOY_PATH/.git" ]; then
|
|
mkdir -p "$DEPLOY_PATH"
|
|
git clone --branch main "$REPO_URL" "$DEPLOY_PATH"
|
|
else
|
|
cd "$DEPLOY_PATH"
|
|
git remote set-url origin "$REPO_URL"
|
|
git fetch origin main
|
|
git reset --hard origin/main
|
|
fi
|
|
|
|
cd "$DEPLOY_PATH"
|
|
docker compose build
|
|
|
|
# Trivy scan локально собранного образа (HIGH+CRITICAL, не блокирует).
|
|
# ghcr.io вместо docker.io — обход rate limit Docker Hub.
|
|
echo "=== Trivy scan: anotherreflections-ru-v2:latest ==="
|
|
docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
-v /tmp/trivy-cache:/root/.cache/ \
|
|
ghcr.io/aquasecurity/trivy:latest image \
|
|
--severity HIGH,CRITICAL \
|
|
--no-progress \
|
|
--exit-code 0 \
|
|
--timeout 5m \
|
|
anotherreflections-ru-v2:latest || true
|
|
echo "=== Trivy scan done ==="
|
|
|
|
docker compose up -d
|
|
sleep 5
|
|
docker compose ps
|
|
curl -fsS -o /dev/null -w "HEALTH HTTP %{http_code}\n" "$HEALTH_URL"
|
|
docker image prune -af --filter "until=168h" >/dev/null 2>&1 || true
|
|
REMOTE
|
|
|
|
- name: Checkout repo for IndexNow
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '22'
|
|
|
|
- name: Notify IndexNow (Yandex/Bing)
|
|
run: npm run indexnow || true
|