name: Deploy on: push: branches: [main] jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Validate JSON run: python3 -c "import json; json.load(open('xray-config.json'))" - name: Validate YAML run: python3 -c "import yaml; yaml.safe_load(open('clash-meta.yaml'))" security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Check for secrets run: | FOUND=0 # Check for private keys if grep -rE '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----' --include='*.json' --include='*.yaml' --include='*.yml' --include='*.md' .; then echo "ERROR: Private key found in repo" FOUND=1 fi # Check for passwords/tokens in plain text if grep -riE '(password|secret|token)\s*[:=]\s*["\x27]?[a-zA-Z0-9+/]{20,}' --include='*.json' --include='*.yaml' --include='*.yml' . | grep -v 'privateKey\|public-key'; then echo "WARNING: Possible secret found" FOUND=1 fi exit $FOUND deploy: needs: [lint, security] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Deploy xray config env: VPS_SSH_KEY: ${{ secrets.VPS_SSH_KEY }} run: | mkdir -p ~/.ssh echo "$VPS_SSH_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 ssh-keyscan -H 158.101.140.85 >> ~/.ssh/known_hosts 2>/dev/null scp xray-config.json jimmyg@158.101.140.85:/tmp/xray-config.json ssh jimmyg@158.101.140.85 "sudo cp /tmp/xray-config.json /usr/local/etc/xray/config.json && sudo systemctl restart xray"