From 44b73687a3a1c6121bf19e9b002cb3aba41e7fe2 Mon Sep 17 00:00:00 2001 From: "Gan, Jimmy" Date: Sat, 14 Feb 2026 09:37:23 +0800 Subject: [PATCH] Add CI/CD workflow for lint, security scan, and deploy --- .gitea/workflows/deploy.yml | 60 +++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .gitea/workflows/deploy.yml diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..4e0ff07 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,60 @@ +name: Deploy +on: + push: + branches: [main] + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Validate JSON + run: python3 -c "import json; json.load(open('xray-config.json'))" + - name: Validate YAML + run: python3 -c "import yaml; yaml.safe_load(open('clash-meta.yaml'))" || python3 -c " +import sys +with open('clash-meta.yaml') as f: + content = f.read() +# basic YAML check - ensure it parses +import importlib +yaml = importlib.import_module('yaml') if importlib.util.find_spec('yaml') else None +if yaml: + yaml.safe_load(content) +else: + print('PyYAML not available, skipping YAML validation') +" + + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Check for secrets + run: | + FOUND=0 + # Check for private keys + if grep -rE '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----' --include='*.json' --include='*.yaml' --include='*.yml' --include='*.md' .; then + echo "ERROR: Private key found in repo" + FOUND=1 + fi + # Check for passwords/tokens in plain text + if grep -riE '(password|secret|token)\s*[:=]\s*["\x27]?[a-zA-Z0-9+/]{20,}' --include='*.json' --include='*.yaml' --include='*.yml' . | grep -v 'privateKey\|public-key'; then + echo "WARNING: Possible secret found" + FOUND=1 + fi + exit $FOUND + + deploy: + needs: [lint, security] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Deploy xray config + env: + VPS_SSH_KEY: ${{ secrets.VPS_SSH_KEY }} + run: | + mkdir -p ~/.ssh + echo "$VPS_SSH_KEY" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan -H 158.101.140.85 >> ~/.ssh/known_hosts 2>/dev/null + scp xray-config.json jimmyg@158.101.140.85:/tmp/xray-config.json + ssh jimmyg@158.101.140.85 "sudo cp /tmp/xray-config.json /usr/local/etc/xray/config.json && sudo systemctl restart xray"