Skip to content

Swap unauthorized with includable resource #60

Swap unauthorized with includable resource

Swap unauthorized with includable resource #60

Workflow file for this run

# vim: set colorcolumn=:
name: deployment
on:
push:
branches:
- develop
- phoenix
env:
PHP_VERSION: '8.1'
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Everything
fetch-tags: true
- name: Update apt cache
run: sudo apt-get update
- name: Install PHP ${{ env.PHP_VERSION }}
run: sudo apt-get install php${{ env.PHP_VERSION }}-cli
- name: Validate composer.json and composer.lock
run: composer validate --strict
- name: Cache Composer packages
id: composer-cache
uses: actions/cache@v4
with:
path: lib
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
restore-keys: |
${{ runner.os }}-php-
- name: Install composer/vendor dependencies
run: composer install --prefer-dist --no-progress --ignore-platform-reqs
- name: Validate PHP syntax
run: bash -c 'set -e;for file in $(find ./src -type f -regex ".*\.\(php\|phtml\)" -print); do php -e -l -f "$file"; done'
- name: Sanitize Branch Name
run: |
CLEAN_BRANCH_NAME="${GITHUB_REF_NAME//\//_}"
echo "CLEAN_BRANCH_NAME=${CLEAN_BRANCH_NAME}" >> $GITHUB_ENV
- name: Create Config
env:
WEB_CONFIG_JSON: ${{ secrets.WEB_CONFIG_JSON }}
run: |
echo "${WEB_CONFIG_JSON}" > ./etc/config.phoenix.json
jq -c -e . ./etc/config.phoenix.json 1>/dev/null
- name: Create Version file
run: |
#!/usr/bin/env bash
set -ex -o pipefail
# Version identifier
echo "$(git describe --always --tags)" > ./etc/.rsync-version
# Version hash
echo "$(git rev-parse HEAD)" >> ./etc/.rsync-version
# Version ISO8601 timestamp
echo "$(git log -n 1 --pretty='%aI' HEAD)" >> ./etc/.rsync-version
# LICENSE version and ISO8601 timestamp
echo -n "$(git log -n 1 --pretty='%h %aI' ./LICENSE.txt)" >> ./etc/.rsync-version
- name: Deploy to Remote
env:
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
SSH_HOST: ${{ secrets.SSH_HOST }}
SSH_PORT: ${{ secrets.SSH_PORT }}
SSH_USER: ${{ secrets.SSH_USER }}
SSH_KEY: ${{ secrets.SSH_KEY }} # SSH private key stored as a GitHub secret
SSH_WEB_PATH: ${{ secrets.SSH_WEB_PATH }}
run: |
#!/usr/bin/env bash
set -ex -o pipefail
# Setup SSH directory, known hosts, and private key
mkdir -pv "${HOME}/.ssh"
echo "${SSH_KNOWN_HOSTS}" > "${HOME}/.ssh/known_hosts"
chmod -v 644 "${HOME}/.ssh/known_hosts"
echo "${SSH_KEY}" > "${HOME}/.ssh/id_${SSH_USER}"
chmod -v 400 "${HOME}/.ssh/id_${SSH_USER}"
# Deploy artifact to the remote
rsync -avzc --delete --delete-excluded --delete-after --progress \
--exclude-from="./etc/deploy-ignore.txt" \
--chown=${SSH_USER}:${SSH_USER} \
-e "ssh -i ${HOME}/.ssh/id_${SSH_USER} -p ${SSH_PORT}" \
"./" "${SSH_USER}@${SSH_HOST}:${SSH_WEB_PATH}/${CLEAN_BRANCH_NAME}"
# Cleanup the secret
rm -fv "${HOME}/.ssh/id_${SSH_USER}" "${HOME}/.ssh/id_${SSH_USER}.pub"
- name: Cleanup Config
run: |
rm -fv ./etc/config.phoenix.json