CI: fix accepting ns.testrun.org SSH Host Key #819
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: deploy on staging2.testrun.org, and run tests | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
paths-ignore: | |
- 'scripts/**' | |
- '**/README.md' | |
- 'CHANGELOG.md' | |
- 'LICENSE' | |
jobs: | |
deploy: | |
name: deploy on staging2.testrun.org, and run tests | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
concurrency: | |
group: ci-${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ !contains(github.ref, '$GITHUB_REF') }} | |
steps: | |
- uses: jsok/serialize-workflow-action@v1 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: prepare SSH | |
run: | | |
mkdir ~/.ssh | |
echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519 | |
chmod 600 ~/.ssh/id_ed25519 | |
ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts | |
# save previous acme & dkim state | |
rsync -avz root@staging2.testrun.org:/var/lib/acme . || true | |
rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true | |
# store previous acme & dkim state on ns.testrun.org, if it contains useful certs | |
if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi | |
if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi | |
# make sure CAA record isn't set | |
scp -o StrictHostKeyChecking=accept-new .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone | |
ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone | |
ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone | |
ssh root@ns.testrun.org systemctl reload nsd | |
- name: rebuild staging2.testrun.org to have a clean VPS | |
run: | | |
curl -X POST \ | |
-H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \ | |
-H "Content-Type: application/json" \ | |
-d '{"image":"debian-12"}' \ | |
"https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild" | |
- run: scripts/initenv.sh | |
- name: append venv/bin to PATH | |
run: echo venv/bin >>$GITHUB_PATH | |
- name: upload TLS cert after rebuilding | |
run: | | |
echo " --- wait until staging2.testrun.org VPS is rebuilt --- " | |
rm ~/.ssh/known_hosts | |
while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u ; do sleep 1 ; done | |
ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u | |
# download acme & dkim state from ns.testrun.org | |
rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme acme-restore || true | |
rsync -avz root@ns.testrun.org:/tmp/dkimkeys dkimkeys-restore || true | |
# restore acme & dkim state to staging2.testrun.org | |
rsync -avz acme-restore/acme root@staging2.testrun.org:/var/lib/ || true | |
rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true | |
ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true | |
- name: run formatting checks | |
run: cmdeploy fmt -v | |
- name: run deploy-chatmail offline tests | |
run: pytest --pyargs cmdeploy | |
- run: cmdeploy init staging2.testrun.org | |
- run: cmdeploy run --verbose | |
- name: set DNS entries | |
run: | | |
ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys | |
cmdeploy dns --zonefile staging-generated.zone --verbose | |
cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone | |
cat .github/workflows/staging.testrun.org-default.zone | |
scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone | |
ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone | |
ssh root@ns.testrun.org systemctl reload nsd | |
- name: cmdeploy test | |
run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow | |
- name: cmdeploy dns | |
run: cmdeploy dns -v | |