Add CI/CD workflow for lint, security scan, and deploy
This commit is contained in:
@@ -0,0 +1,60 @@
|
|||||||
|
name: Deploy
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
lint:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Validate JSON
|
||||||
|
run: python3 -c "import json; json.load(open('xray-config.json'))"
|
||||||
|
- name: Validate YAML
|
||||||
|
run: python3 -c "import yaml; yaml.safe_load(open('clash-meta.yaml'))" || python3 -c "
|
||||||
|
import sys
|
||||||
|
with open('clash-meta.yaml') as f:
|
||||||
|
content = f.read()
|
||||||
|
# basic YAML check - ensure it parses
|
||||||
|
import importlib
|
||||||
|
yaml = importlib.import_module('yaml') if importlib.util.find_spec('yaml') else None
|
||||||
|
if yaml:
|
||||||
|
yaml.safe_load(content)
|
||||||
|
else:
|
||||||
|
print('PyYAML not available, skipping YAML validation')
|
||||||
|
"
|
||||||
|
|
||||||
|
security:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Check for secrets
|
||||||
|
run: |
|
||||||
|
FOUND=0
|
||||||
|
# Check for private keys
|
||||||
|
if grep -rE '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----' --include='*.json' --include='*.yaml' --include='*.yml' --include='*.md' .; then
|
||||||
|
echo "ERROR: Private key found in repo"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
# Check for passwords/tokens in plain text
|
||||||
|
if grep -riE '(password|secret|token)\s*[:=]\s*["\x27]?[a-zA-Z0-9+/]{20,}' --include='*.json' --include='*.yaml' --include='*.yml' . | grep -v 'privateKey\|public-key'; then
|
||||||
|
echo "WARNING: Possible secret found"
|
||||||
|
FOUND=1
|
||||||
|
fi
|
||||||
|
exit $FOUND
|
||||||
|
|
||||||
|
deploy:
|
||||||
|
needs: [lint, security]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- name: Deploy xray config
|
||||||
|
env:
|
||||||
|
VPS_SSH_KEY: ${{ secrets.VPS_SSH_KEY }}
|
||||||
|
run: |
|
||||||
|
mkdir -p ~/.ssh
|
||||||
|
echo "$VPS_SSH_KEY" > ~/.ssh/id_ed25519
|
||||||
|
chmod 600 ~/.ssh/id_ed25519
|
||||||
|
ssh-keyscan -H 158.101.140.85 >> ~/.ssh/known_hosts 2>/dev/null
|
||||||
|
scp xray-config.json jimmyg@158.101.140.85:/tmp/xray-config.json
|
||||||
|
ssh jimmyg@158.101.140.85 "sudo cp /tmp/xray-config.json /usr/local/etc/xray/config.json && sudo systemctl restart xray"
|
||||||
Reference in New Issue
Block a user