I met a problem when trying to apply CI/CD into our project using Github Action. The server has the firewall to enable access for a listed ip only.
I have found a method by using Github meta api https://api.github.com/meta but they denied to apply.
Is there any other way to apply this?
Our current ci.yml
name: remote ssh
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: execute ssh command via using private key
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script:
pwd
In my case, I use an OpenVPN to access to the server.
About security. I think you should not load file VPN config to Git.
This is my config file.
name: remote ssh command to deploy
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- name: Install Open VPN
run: |
sudo apt-get install openvpn
echo "${{ secrets.VPN_FILE }}" > .github/vpn/config.ovpn
- name: Connect VPN
uses: golfzaptw/action-connect-ovpn#master
id: connect_vpn
with:
PING_URL: ${{ secrets.REMOTE_HOST }}
FILE_OVPN: '.github/vpn/config.ovpn'
env:
CA_CRT: ${{ secrets.CA_CRT}}
USER_CRT: ${{ secrets.USER_CRT }}
USER_KEY: ${{ secrets.USER_KEY }}
- name: Check Connect VPN
run: echo ${{ steps.connect_vpn.outputs.STATUS }}
- name: Execute ssh command via using private key
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script: |
pwd
cd ${{ secrets.REMOTE_TARGET }}
git pull
- name: kill vpn
if: always()
run: sudo killall openvpn
Follow https://github.com/marketplace/actions/connect-vpn#Example-prepare-file-.ovpn:
Copy data inside tag to encode base64 after that save to secret env github actions
Remove tag and replace to ca ca.crt cert user.crt key user.key
Aside OpenVPN, you can use Cloudflare WARP 1.1.1.1, its easy to use and no need for running any server or any kind of log in.
just make a job
name: remote ssh command to deploy
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Check Connect VPN
run: |
curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt update
sudo apt install cloudflare-warp
warp-cli --accept-tos register
warp-cli --accept-tos connect
put this there. Boom you're ready to go and surf anywhere.
Note:
the 1st line is to add the Cloudflare pkg host to apt host list because apt only use microsoft hosted pkg only, and it's not there. 2nd line for same reason.
5th line to register the service. --accept-tos part is for accepting TOS which needed to be done by human input if omitted
6th line Runs the service.
Full documentation here:
https://pkg.cloudflareclient.com/install
https://developers.cloudflare.com/warp-client/get-started/linux/
Related
I am new to azure and I made a setup on the azure portal with GitHub and set .yml. the pipeline runs successfully in the build phase but fails in the deployment phase.
here is my workflow file.
push:
branches: ["master"]
workflow_dispatch:
env:
AZURE_WEBAPP_NAME: wep-app-name # set this to your application's name
AZURE_WEBAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
NODE_VERSION: "16.15.0" # set this to the node version to use
NODE_OPTIONS: "--max-old-space-size=8192"
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- name: Set up Node.js
uses: actions/setup-node#v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: "npm"
#- name: yarn install, build, and test
# run: |
# node --max_old_space_size=8192
# yarn
#yarn run build
#zip artifact
- name: Zip artifact for deployment
run: zip release.zip ./build/* -r #get files and folder in build folder and
#compress into release.zip with linux zip command
- name: Upload artifact for deployment job
uses: actions/upload-artifact#v3
with:
name: node-app
path: build
deploy:
permissions:
contents: none
runs-on: ubuntu-latest
needs: build
environment:
name: "Development"
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
steps:
- name: Download artifact from build job
uses: actions/download-artifact#v3
with:
name: node-app
path: .
- name: "Deploy to Azure WebApp"
uses: azure/webapps-deploy#v2
id: deploy-to-webapp
with:
app-name: "app-name"
slot-name: 'Production'
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B2318A4382DB625 }}
package: .
I am trying to deploy my next app to gh pages but only the index and 404 pages are displaying. All other pages, images, js and css files are returning a 404 error - everything inside the _next folder.
After some research, I found a popular solution to this issue was adding a .nojekyll file into the output folder to prevent jekyll from ignoring files prefixed with _ which I've tried but the files remain missing.
Here is my gh action to building and deploy the app -
name: Deploy Next.js site to Pages
on:
# Runs on pushes targeting the default branch
push:
branches: ["main"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
# Allow one concurrent deployment
concurrency:
group: "pages"
cancel-in-progress: true
jobs:
# Build job
build:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./docs
steps:
- name: Checkout
uses: actions/checkout#v3
- name: Detect package manager
id: detect-package-manager
run: |
if [ -f "${{ github.workspace }}/docs/yarn.lock" ]; then
echo "::set-output name=manager::yarn"
echo "::set-output name=command::install"
echo "::set-output name=runner::yarn"
exit 0
elif [ -f "${{ github.workspace }}/docs/package.json" ]; then
echo "::set-output name=manager::npm"
echo "::set-output name=command::ci"
echo "::set-output name=runner::npx --no-install"
exit 0
else
echo "Unable to determine packager manager"
exit 1
fi
- name: Setup Node
uses: actions/setup-node#v3
with:
node-version: "16"
cache: ${{ steps.detect-package-manager.outputs.manager }}
- name: Restore cache
uses: actions/cache#v3
with:
path: |
.next/cache
# Generate a new cache whenever packages or source files change.
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
# If source files changed but packages didn't, rebuild from a prior cache.
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
- name: Install dependencies
run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
- name: Build with Next.js
run: ${{ steps.detect-package-manager.outputs.runner }} next build
- name: Static HTML export with Next.js
run: ${{ steps.detect-package-manager.outputs.runner }} next export
- name: nojekyll
run: touch ./out/.nojekyll
- name: Upload artifact
uses: actions/upload-pages-artifact#v1
with:
path: ./docs/out
# Deployment job
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages#v1
I've checked the artifact that gets deployed and all intended files are there.
What am I missing here?
in the public folder add file .nojekyll
then in package.json add
"deploy": "gh-pages -d dist -t true"
then run this command
yarn generate
yarn deploy
this file .nojekyll will be copied in the dist folder
I using nuxt app but the same idea
thanks
name: CI/CD Docker
on:
push:
branches: [main]
env:
DOCKER_IMAGE: ghcr.io/${{ github.actor }}/github-actions-auto
VERSION: ${{ github.sha }}
NAME: go_cicd
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
# github repository에서 checkout
- uses: actions/checkout#v2
- name: Set up docker buildx
id: buildx
uses: docker/setup-buildx-action#v1
- name: Cache docker layers
uses: actions/cache#v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ env.VERSION }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to ghcr
uses: docker/login-action#v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Build and push
id: docker_build
uses: docker/build-push-action#v2
with:
builder: ${{ steps.buildx.outputs.name }}
push: true
tags: ${{ env.DOCKER_IMAGE }}:latest
deploy:
needs: build
name: Deploy
runs-on: [self-hosted, label-go]
steps:
- name: Login to ghcr
uses: docker/login-action#v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Docker run
run: |
docker stop ${{ env.NAME }} && docker rm ${{ env.NAME }} && docker rmi ${{ env.DOCKER_IMAGE }}:latest
docker run -d -p 8080:80 --name go_cicd --restart always ${{ env.DOCKER_IMAGE }}:latest
This is our Dockerfile. If I push code to main branch, this CI/CD pipeline works well. But my partner push code to main branch, it makes 403 forbidden error. I don't know how to solve this problem... How to solve this error?
This is error message in github actions.
Adding the below permissions to the build job fixed this issue for me. I am not sure it will work for anyone, but this question was the first I found when looking for a solution. Hopefully it can help future people:
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
This was taken from this answer: https://stackoverflow.com/a/71438011/14387852
For anyone stumbling upon this in future, here's what you need to make the pre-built github actions to push docker image to azure web app work,
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
You need to add the content given below the permissions part.
Reference: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action
To make this work for me, I had to allow the repository to write to the package. You would do that in this link:
https://github.com/users/${username}/packages/container/#{repo}/settings
And there should be a section there "Manage Actions access", where you can add the repository
Follow these steps to fix this issue.
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions
In my case, it was fixed by adding a driver and install properties.
- name: Set up Docker Buildx
uses: docker/setup-buildx-action#v1
with:
driver: docker
install: true
My GitHub Actions completes successfully, but when I go to my website all I see is a blank white page. From the chrome dev tools I check the console and I see this error:
react-dom.production.min.js:216 Error: accountId is required
at Z (brightcove-react-player-loader.es.js:950)
at Q (brightcove-react-player-loader.es.js:1061)
at X (brightcove-react-player-loader.es.js:1126)
at r.o.loadPlayer (brightcove-react-player-loader.es.js:1350)
at r.o.componentDidMount (brightcove-react-player-loader.es.js:1519)
at hu (react-dom.production.min.js:219)
at As (react-dom.production.min.js:259)
at t.unstable_runWithPriority (scheduler.production.min.js:18)
at Ha (react-dom.production.min.js:122)
at Ts (react-dom.production.min.js:252)
uu # react-dom.production.min.js:216
The following is my yaml file which creates a .env file including the BrightCove ID but it isn't getting the ID from the .env for some reason...
# This is a basic workflow to help you get started with Actions
name: Deploy React Dev
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ development ]
pull_request:
branches: [ development ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
REACT_APP_BRIGHTCOVE_ID: ${{ secrets.REACT_APP_BRIGHTCOVE_ID }}
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./app
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout#v2.3.4
# Create .env
- name: Create env file
run: |
touch .env
echo REACT_APP_AUTH0_DOMAIN=${{ secrets.REACT_APP_AUTH0_DOMAIN }} >> .env
echo REACT_APP_AUTH0_CLIENT_ID=${{ secrets.REACT_APP_AUTH0_CLIENT_ID }} >> .env
echo REACT_APP_AUTH0_AUDIENCE=${{ secrets.REACT_APP_AUTH0_AUDIENCE }} >> .env
echo REACT_APP_VIDEO_URL=${{ secrets.REACT_APP_VIDEO_URL }} >> .env
echo REACT_APP_STORE_NAME=${{ secrets.REACT_APP_STORE_NAME }} >> .env
echo REACT_APP_PAYPAL_CLIENT_ID=${{ secrets.REACT_APP_PAYPAL_CLIENT_ID }} >> .env
echo REACT_APP_HASURA_GRAPHQL_ENDPOINT=${{ secrets.REACT_APP_HASURA_GRAPHQL_ENDPOINT }} >> .env
echo REACT_APP_BRIGHTCOVE_ID=${{ secrets.REACT_APP_BRIGHTCOVE_ID }} >> .env
echo HASURA_GRAPHQL_ADMIN_SECRET=${{ secrets.HASURA_GRAPHQL_ADMIN_SECRET }} >> .env
# Set up Node JS
- uses: actions/setup-node#master
with:
node-version: '16.x'
cache: 'yarn'
cache-dependency-path: app/yarn.lock
# Use cached node_modules directory
- uses: actions/cache#v2
with:
path: '**/node_modules'
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
# Install & build
- run: yarn install
- run: yarn build
# Upload artifact
- name: Upload artifact
uses: actions/upload-artifact#v2
with:
name: webapp
path: app/build
deploy:
runs-on: ubuntu-latest
environment: Orange Develop
needs: build
steps:
- name: Download artifact
uses: actions/download-artifact#v2
with:
name: webapp
# Deploy webapp to Orange server
- name: SCP deployment to Orange
uses: appleboy/scp-action#master
with:
host: ${{ secrets.FTP_HOST }}
username: ${{ secrets.FTP_USER }}
key: ${{ secrets.FTP_KEY }}
source: '.'
target: '/opt/media-exchange/app/build'
rm: true`
Found the answer on this stackoverflow question: https://stackoverflow.com/a/66929604/14502018
I needed to set the environment that my secrets are stored in.
Inside the build job I added this line:
build:
runs-on: ubuntu-latest
environment: Orange Develop #MISSING LINE
I have a React app that I'm testing with Cypress. I then have a separated backend running on Graphql-yoga. Everything works fine locally and testing with Cypress also works flawlessly.
But now I'm trying to use Github Actions for the first time and I have created a job to get my backend, start it, get my frontend and run Cypress. I have a console log with 'Server running on port ...' on my server, and I'm seeing it when the job runs, but still Cypress isn't connecting to my backend and I have no clue why. All Cypress tests but one are failing. The only test that's not failing is one I've created just to make sure the backend isn't sending any response. I don't see any errors/warning related to it.
Here's my workflow file:
name: CI
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [master]
pull_request:
branches: [master]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
cypress:
runs-on: ubuntu-latest
steps:
- name: Checkout backend repo
uses: actions/checkout#v2
with:
repository: ****/****
token: ${{ secrets.REPO_TOKEN }}
path: backend
- name: Set up Nodejs ${{ matrix.node-version }}
uses: actions/setup-node#v1
with:
node-version: ${{ matrix.node-version }}
- name: Install backend dependencies
working-directory: ./backend
run: npm install
- name: Run backend
working-directory: ./backend
run: node server.js &
env:
APP_SECRET: ${{ secrets.BE_APP_SECRET }}
FIREBASE_SERVER_KEY: ${{ secrets.BE_FIREBASE_SERVER_KEY }}
CLOUDINARY_SECRET: ${{ secrets.BE_CLOUDINARY_SECRET }}
CLOUDINARY_KEY: ${{ secrets.BE_CLOUDINARY_KEY }}
NODE_ENV: ${{ secrets.BE_NODE_ENV }}
DATABASE_URL: ${{ secrets.BE_DATABASE_URL }}
- name: Checkout frontend repository
uses: actions/checkout#v2
- name: Install dependencies
run: npm install
- name: Run Cypress tests
uses: cypress-io/github-action#v2
with:
start: npm start
wait-on: 'http://localhost:3000'
config: baseUrl=http://localhost:3000
env:
REACT_APP_FIREBASE_API_KEY: ${{ secrets.REACT_APP_FIREBASE_API_KEY }}
REACT_APP_NODE_ENV: test
Any ideas what might be the problem?
Thanks in advance!