chahine/rebreak-monorepo
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

refactor(deploy-staging): HETZNER_HOST/USER von secrets zu vars

Browse Source 
Hostname (staging.rebreak.org) und User (root) sind keine echten Secrets —
public DNS bzw. in Doku schon erwähnt. Variables sichtbar in Logs erleichtert
Debug (siehe DNS-Fail mit "getaddrinfo ***" — bei vars wäre der konkrete
Wert lesbar gewesen).

Aufteilung jetzt:
- HETZNER_SSH_KEY → secret (sensitive: Server-Root-Zugang)
- HETZNER_HOST    → var (public DNS)
- HETZNER_USER    → var (in Doku)

Plus echo des Host-Werts in Setup-SSH-Step für Debug-Visibility.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
chahinebrini 2026-05-07 20:32:34 +02:00
parent 072efa06e8
commit def21a220d
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/workflows/deploy-staging.yml vendored
View File

@ -82,12 +82,13 @@ jobs:
- name: Setup SSH - name: Setup SSH
env: env:
SSH_PRIVATE_KEY: ${{ secrets.HETZNER_SSH_KEY }} SSH_PRIVATE_KEY: ${{ secrets.HETZNER_SSH_KEY }}
SSH_HOST: ${{ secrets.HETZNER_HOST }} SSH_HOST: ${{ vars.HETZNER_HOST }}
run: | run: |
if [ -z "$SSH_PRIVATE_KEY" ] || [ -z "$SSH_HOST" ]; then if [ -z "$SSH_PRIVATE_KEY" ] || [ -z "$SSH_HOST" ]; then
echo "FATAL: HETZNER_SSH_KEY oder HETZNER_HOST nicht gesetzt" echo "FATAL: HETZNER_SSH_KEY (secret) oder HETZNER_HOST (var) nicht gesetzt"
exit 1 exit 1
fi fi
echo "Deploying to host: $SSH_HOST"
mkdir -p ~/.ssh mkdir -p ~/.ssh
printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519
@ -95,16 +96,16 @@ jobs:
- name: Upload artifact zu Hetzner - name: Upload artifact zu Hetzner
env: env:
SSH_HOST: ${{ secrets.HETZNER_HOST }} SSH_HOST: ${{ vars.HETZNER_HOST }}
SSH_USER: ${{ secrets.HETZNER_USER }} SSH_USER: ${{ vars.HETZNER_USER }}
run: | run: |
scp -i ~/.ssh/id_ed25519 backend-output.tar.gz \ scp -i ~/.ssh/id_ed25519 backend-output.tar.gz \
"$SSH_USER@$SSH_HOST:/srv/rebreak/backend/.output-incoming.tar.gz" "$SSH_USER@$SSH_HOST:/srv/rebreak/backend/.output-incoming.tar.gz"
- name: Server-side deploy (extract + migrate + pm2 restart) - name: Server-side deploy (extract + migrate + pm2 restart)
env: env:
SSH_HOST: ${{ secrets.HETZNER_HOST }} SSH_HOST: ${{ vars.HETZNER_HOST }}
SSH_USER: ${{ secrets.HETZNER_USER }} SSH_USER: ${{ vars.HETZNER_USER }}
run: | run: |
ssh -i ~/.ssh/id_ed25519 "$SSH_USER@$SSH_HOST" \ ssh -i ~/.ssh/id_ed25519 "$SSH_USER@$SSH_HOST" \
'bash /srv/rebreak/scripts/deploy-from-artifact.sh' 'bash /srv/rebreak/scripts/deploy-from-artifact.sh'