From 547c4cf8d5c373e81b0f906a04966903e2682077 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 17 May 2024 21:56:05 +0900 Subject: [PATCH 1/4] chore: update comment --- .github/scripts/deploy.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/scripts/deploy.sh b/.github/scripts/deploy.sh index 50e644d..fab1e73 100755 --- a/.github/scripts/deploy.sh +++ b/.github/scripts/deploy.sh @@ -1,6 +1,7 @@ #!/bin/sh -e -# Deploys to the production server. +# Deploys the official site to the production server. +# See ../workflows/deploy.yml REPO="/opt/website" RELEASE_DIR="/home/public_html/site/releases" From 325e58cd826af3217577f43940cda515db1436ed Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 17 May 2024 21:56:35 +0900 Subject: [PATCH 2/4] chore: add uid check --- .github/scripts/deploy.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/scripts/deploy.sh b/.github/scripts/deploy.sh index fab1e73..249edf7 100755 --- a/.github/scripts/deploy.sh +++ b/.github/scripts/deploy.sh @@ -9,6 +9,11 @@ SHARED_DIR="/home/public_html/site/shared" USERGUIDE_DIR="/home/public_html/userguides" CONFIG_FILE="/home/public_html/config/.env.site" +if [ "$(id -u)" = "0" ]; then + echo "Cannot be run as root. Please run as the user for deployment." + exit 1 +fi + RELEASE=`date +"%Y-%m-%d-%H-%M-%S"` echo $'Update website repository\n' From f4ada02953c249db04c836becd44e5a78e7d740f Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 17 May 2024 21:57:03 +0900 Subject: [PATCH 3/4] chore: remove $ for echo `$'...'` is not supported by /bin/sh. --- .github/scripts/deploy.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/scripts/deploy.sh b/.github/scripts/deploy.sh index 249edf7..783eddb 100755 --- a/.github/scripts/deploy.sh +++ b/.github/scripts/deploy.sh @@ -16,43 +16,43 @@ fi RELEASE=`date +"%Y-%m-%d-%H-%M-%S"` -echo $'Update website repository\n' +echo 'Update website repository\n' cd $REPO git switch master git pull -echo $'Copy current release\n' +echo 'Copy current release\n' cd $RELEASE_DIR sudo cp -pr $REPO ./$RELEASE -echo $'Install composer dependencies\n' +echo 'Install composer dependencies\n' cd $RELEASE_DIR/$RELEASE composer install --no-dev if [ ! -d "$SHARED_DIR" ]; then - echo $'Create shared directory\n' + echo 'Create shared directory\n' sudo mkdir -p "$SHARED_DIR" - echo $'Setup folder permissions\n' + echo 'Setup folder permissions\n' sudo chown -R www-data:www-data writable sudo chmod -R 755 writable sudo cp -rp writable "$SHARED_DIR" fi -echo $'Link writable\n' +echo 'Link writable\n' sudo rm -rf writable sudo ln -nsf "$SHARED_DIR/writable" writable -echo $'Link .env\n' +echo 'Link .env\n' sudo ln -nsf $CONFIG_FILE .env -echo $'Link user guides\n' +echo 'Link user guides\n' ln -nsf $USERGUIDE_DIR/userguide4 public/user_guide ln -nsf $USERGUIDE_DIR/userguide3 public/userguide3 ln -nsf $USERGUIDE_DIR/userguide2 public/userguide2 -echo $'Deploy: update symlink\n' +echo 'Deploy: update symlink\n' cd $RELEASE_DIR sudo ln -nsf $RELEASE_DIR/$RELEASE "../current" -echo $'Reload PHP8.1-FPM\n' +echo 'Reload PHP8.1-FPM\n' sudo service php8.1-fpm reload From 291ba416345067a5307d8acb705645d234aef1b6 Mon Sep 17 00:00:00 2001 From: kenjis Date: Sat, 18 May 2024 18:49:19 +0900 Subject: [PATCH 4/4] chore: add fingerprint To prevent Person-in-the-Middle attacks. --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c6935f2..1c8f8b2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,4 +20,5 @@ jobs: username: ${{ secrets.USERNAME }} key: ${{ secrets.KEY }} port: ${{ secrets.PORT }} + fingerprint: ${{ secrets.FINGERPRINT }} script: /opt/website/.github/scripts/deploy.sh