Swap unauthorized with includable resource #60
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vim: set colorcolumn=: | |
name: deployment | |
on: | |
push: | |
branches: | |
- develop | |
- phoenix | |
env: | |
PHP_VERSION: '8.1' | |
permissions: | |
contents: read | |
jobs: | |
deploy: | |
runs-on: ubuntu-latest | |
environment: production | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Everything | |
fetch-tags: true | |
- name: Update apt cache | |
run: sudo apt-get update | |
- name: Install PHP ${{ env.PHP_VERSION }} | |
run: sudo apt-get install php${{ env.PHP_VERSION }}-cli | |
- name: Validate composer.json and composer.lock | |
run: composer validate --strict | |
- name: Cache Composer packages | |
id: composer-cache | |
uses: actions/cache@v4 | |
with: | |
path: lib | |
key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} | |
restore-keys: | | |
${{ runner.os }}-php- | |
- name: Install composer/vendor dependencies | |
run: composer install --prefer-dist --no-progress --ignore-platform-reqs | |
- name: Validate PHP syntax | |
run: bash -c 'set -e;for file in $(find ./src -type f -regex ".*\.\(php\|phtml\)" -print); do php -e -l -f "$file"; done' | |
- name: Sanitize Branch Name | |
run: | | |
CLEAN_BRANCH_NAME="${GITHUB_REF_NAME//\//_}" | |
echo "CLEAN_BRANCH_NAME=${CLEAN_BRANCH_NAME}" >> $GITHUB_ENV | |
- name: Create Config | |
env: | |
WEB_CONFIG_JSON: ${{ secrets.WEB_CONFIG_JSON }} | |
run: | | |
echo "${WEB_CONFIG_JSON}" > ./etc/config.phoenix.json | |
jq -c -e . ./etc/config.phoenix.json 1>/dev/null | |
- name: Create Version file | |
run: | | |
#!/usr/bin/env bash | |
set -ex -o pipefail | |
# Version identifier | |
echo "$(git describe --always --tags)" > ./etc/.rsync-version | |
# Version hash | |
echo "$(git rev-parse HEAD)" >> ./etc/.rsync-version | |
# Version ISO8601 timestamp | |
echo "$(git log -n 1 --pretty='%aI' HEAD)" >> ./etc/.rsync-version | |
# LICENSE version and ISO8601 timestamp | |
echo -n "$(git log -n 1 --pretty='%h %aI' ./LICENSE.txt)" >> ./etc/.rsync-version | |
- name: Deploy to Remote | |
env: | |
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }} | |
SSH_HOST: ${{ secrets.SSH_HOST }} | |
SSH_PORT: ${{ secrets.SSH_PORT }} | |
SSH_USER: ${{ secrets.SSH_USER }} | |
SSH_KEY: ${{ secrets.SSH_KEY }} # SSH private key stored as a GitHub secret | |
SSH_WEB_PATH: ${{ secrets.SSH_WEB_PATH }} | |
run: | | |
#!/usr/bin/env bash | |
set -ex -o pipefail | |
# Setup SSH directory, known hosts, and private key | |
mkdir -pv "${HOME}/.ssh" | |
echo "${SSH_KNOWN_HOSTS}" > "${HOME}/.ssh/known_hosts" | |
chmod -v 644 "${HOME}/.ssh/known_hosts" | |
echo "${SSH_KEY}" > "${HOME}/.ssh/id_${SSH_USER}" | |
chmod -v 400 "${HOME}/.ssh/id_${SSH_USER}" | |
# Deploy artifact to the remote | |
rsync -avzc --delete --delete-excluded --delete-after --progress \ | |
--exclude-from="./etc/deploy-ignore.txt" \ | |
--chown=${SSH_USER}:${SSH_USER} \ | |
-e "ssh -i ${HOME}/.ssh/id_${SSH_USER} -p ${SSH_PORT}" \ | |
"./" "${SSH_USER}@${SSH_HOST}:${SSH_WEB_PATH}/${CLEAN_BRANCH_NAME}" | |
# Cleanup the secret | |
rm -fv "${HOME}/.ssh/id_${SSH_USER}" "${HOME}/.ssh/id_${SSH_USER}.pub" | |
- name: Cleanup Config | |
run: | | |
rm -fv ./etc/config.phoenix.json |