From b0e009d606a41098d3b3998523815c905774452d Mon Sep 17 00:00:00 2001 From: Mark <162816078+markashton480@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:56:45 +0000 Subject: [PATCH] Migrate deploy workflow to OpenBao SSH CA --- .gitea/workflows/ci.yml | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 3f40cb5..afae007 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -215,12 +215,34 @@ jobs: deploy: if: github.event_name == 'push' && github.ref == 'refs/heads/main' - runs-on: deploy + runs-on: + - ubuntu-latest + - agent-workspace + env: + BAO_TOKEN_FILE: /run/openbao-agent-ci_runner/token steps: + - name: Configure SSH via OpenBao CA + shell: bash + run: | + set -euo pipefail + : "${OPENBAO_ADDR:?OPENBAO_ADDR must be set by the runner environment}" + mkdir -p ~/.ssh && chmod 700 ~/.ssh + ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N "" -q + BAO_TOKEN="$(<"$BAO_TOKEN_FILE")" + SIGNED_KEY=$(curl -fsS \ + -H "X-Vault-Token: $BAO_TOKEN" \ + -H "X-Vault-Request: true" \ + -X POST \ + -d "{\"public_key\": \"$(cat ~/.ssh/id_ed25519.pub)\", \"valid_principals\": \"${{ vars.DEPLOY_USER }}\"}" \ + "${OPENBAO_ADDR}/v1/ssh/sign/${{ vars.DEPLOY_SSH_ROLE }}" \ + | jq -r '.data.signed_key') + [ -n "$SIGNED_KEY" ] && [ "$SIGNED_KEY" != "null" ] \ + || { echo "ERROR: failed to sign SSH key via OpenBao CA" >&2; exit 1; } + printf '%s\n' "$SIGNED_KEY" > ~/.ssh/id_ed25519-cert.pub + unset BAO_TOKEN SIGNED_KEY + + - name: Add deploy host to known_hosts + run: ssh-keyscan -H "${{ vars.DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null + - name: Deploy to lintel-prod-01 - uses: appleboy/ssh-action@v1 - with: - host: ${{ secrets.PROD_SSH_HOST }} - username: deploy - key: ${{ secrets.PROD_SSH_KEY }} - script: bash /srv/sum/nohype/app/deploy/deploy.sh + run: ssh "${{ vars.DEPLOY_USER }}@${{ vars.DEPLOY_HOST }}" "bash /srv/sum/nohype/app/deploy/deploy.sh" -- 2.49.1