👷 Add composite action for running securely via SSH

dothq · Apr 27, 2024 · d35d1ab · d35d1ab
1 parent 4d8e480
commit d35d1ab
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 20 deletions.
diff --git a/.github/actions/run-via-ssh/action.yml b/.github/actions/run-via-ssh/action.yml
@@ -0,0 +1,51 @@
+name: "Run via SSH"
+description: "Connects securely to a server over Tailscale and runs a shell script."
+inputs:
+    ts_hostname:
+        description: "Tailscale server hostname to use"
+        required: true
+    ts_oauth_client_id:
+        description: "Tailscale OAuth2 client ID to use"
+        required: true
+    ts_oauth_secret:
+        description: "Tailscale OAuth2 secret to use"
+        required: true
+    ts_tags:
+        description: "Tailscale tags to use."
+        default: ""
+        required: false
+    ssh_username:
+        description: "SSH username to use."
+        required: true
+    ssh_private_key:
+        description: "SSH private key to use."
+        required: true
+    run:
+        description: "Shell script to execute"
+        required: true
+
+runs:
+    using: "composite"
+    steps:
+        - name: Connect to Tailscale network
+          uses: tailscale/github-action@v2
+          with:
+              oauth-client-id: ${{ inputs.ts_oauth_client_id }}
+              oauth-secret: ${{ inputs.ts_oauth_secret }}
+              tags: ${{ inputs.ts_tags }}
+
+        - name: Install SSH key
+          shell: bash --noprofile --norc -eo pipefail -ux {0}
+          run: |
+              install -m 600 -D /dev/null ~/.ssh/id_rsa
+              echo "${{ inputs.ssh_private_key }}" > ~/.ssh/id_rsa
+              SERVER_IP="$(tailscale ip -6 ${{ inputs.ts_hostname }})"
+              ssh-keyscan $SERVER_IP > ~/.ssh/known_hosts
+
+        - name: Run script
+          shell: bash --noprofile --norc -eo pipefail -ux {0}
+          run: ssh -t ${{ inputs.ssh_username }}@${{ inputs.ts_hostname }} "${{ inputs.run }}"
+
+        - name: Nuke SSH keys
+          shell: bash --noprofile --norc -eo pipefail -ux {0}
+          run: rm -rf ~/.ssh
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -48,24 +48,17 @@ jobs:
             - name: Checkout repository
               uses: actions/checkout@v4
 
-            - name: Connect to Tailscale network
-              uses: tailscale/github-action@v2
+            - name: Deploy to production server
+              uses: ./.github/actions/run-via-ssh
               with:
-                  oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-                  oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
-                  tags: tag:ci
-
-            - name: Install SSH key
-              run: |
-                  install -m 600 -D /dev/null ~/.ssh/id_rsa
-                  echo "${{ secrets.CI_PRIVATE_KEY }}" > ~/.ssh/id_rsa
-                  SERVER_IP="$(tailscale ip -6 ${{ env.SERVER_HOSTNAME }})"
-                  ssh-keyscan $SERVER_IP > ~/.ssh/known_hosts
-
-            - name: Connect over SSH and deploy
-              run: |
-                  SERVER_IP="$(tailscale ip -6 ${{ env.SERVER_HOSTNAME }})"
-                  ssh -t ci@$SERVER_IP "cd /app && git reset --hard && git pull && ./scripts/rebuild_docker.sh"
-
-            - name: Nuke SSH keys
-              run: rm -rf ~/.ssh
+                  ts_hostname: ${{ env.SERVER_HOSTNAME }}
+                  ts_oauth_client_id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+                  ts_oauth_secret: ${{ secrets.TS_OAUTH_SECRET }}
+                  ts_tags: tag:ci
+                  ssh_username: ci
+                  ssh_private_key: ${{ secrets.CI_PRIVATE_KEY }}
+                  run: |
+                      cd /app
+                      git reset --hard
+                      git pull
+                      ./scripts/rebuild_docker.sh