forked from Bos55/nix-config
Tibo De Peuter
ce0543a20f
Some checks failed
Check / check (push) Failing after 2s
Added a CI/CD step to verify cryptographic signatures for deployments. Updated SECURITY.md with the new trust model and refined GHA workflows for consistency.
81 lines
2.9 KiB
YAML
81 lines
2.9 KiB
YAML
name: Deploy
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- 'test-*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
mode:
|
|
description: 'Activation mode (switch, boot, test)'
|
|
default: 'switch'
|
|
required: true
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
container: catthehacker/ubuntu:act-24.04
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Nix
|
|
uses: cachix/install-nix-action@v27
|
|
with:
|
|
extra_nix_config: |
|
|
experimental-features = nix-command flakes
|
|
|
|
- name: Setup SSH
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true
|
|
# Disable strict host key checking for the local network if needed,
|
|
# or rely on known_hosts. For homelab, we can be slightly more relaxed
|
|
# but let's try to be secure.
|
|
echo "StrictHostKeyChecking no" >> ~/.ssh/config
|
|
|
|
- name: Verify Commit Signature
|
|
if: github.event.sender.login != 'renovate[bot]'
|
|
run: |
|
|
# TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'.
|
|
# For GPG: gpg --export --armor <id> | base64 -w0
|
|
|
|
if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then
|
|
echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety."
|
|
exit 1
|
|
fi
|
|
|
|
# Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret.
|
|
# We use git to verify the signature of the current commit.
|
|
echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg
|
|
gpg --import /tmp/trusted_keys.gpg
|
|
|
|
if ! git verify-commit HEAD; then
|
|
echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed."
|
|
exit 1
|
|
fi
|
|
echo "Commit signature verified successfully."
|
|
|
|
- name: Install deploy-rs
|
|
run: nix profile install github:serokell/deploy-rs
|
|
|
|
- name: Deploy to hosts
|
|
run: |
|
|
# Determine profile based on branch
|
|
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
|
|
# Main site: persistent deployment
|
|
deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ')
|
|
elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then
|
|
# Test branch: non-persistent deployment (test profile)
|
|
# The branch name should be test-<hostname>
|
|
HOSTNAME="${GITHUB_REF#refs/heads/test-}"
|
|
deploy .#${HOSTNAME}.test --skip-checks
|
|
fi
|
|
|
|
- name: Manual Deploy
|
|
if: github.event_name == 'workflow_dispatch'
|
|
run: |
|
|
# TODO: Implement manual dispatch logic if needed
|
|
deploy . --skip-checks
|