如何通过 SSH 从 Github Action 执行命令到白名单服务器?
How to execute command from Github Action via SSH into whitelisted server?
我在尝试使用 Github 操作将 CI/CD 应用到我们的项目时遇到了问题。服务器有防火墙只允许访问列出的 ip。
我找到了使用Github meta api https://api.github.com/meta的方法,但他们拒绝申请。
还有其他方法可以应用吗?
我们现在的ci.yml
name: remote ssh
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: execute ssh command via using private key
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script:
pwd
就我而言,我使用 OpenVPN 访问服务器。
关于安全。我认为您不应该将文件 VPN 配置加载到 Git.
这是我的配置文件。
name: remote ssh command to deploy
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Install Open VPN
run: |
sudo apt-get install openvpn
echo "${{ secrets.VPN_FILE }}" > .github/vpn/config.ovpn
- name: Connect VPN
uses: golfzaptw/action-connect-ovpn@master
id: connect_vpn
with:
PING_URL: ${{ secrets.REMOTE_HOST }}
FILE_OVPN: '.github/vpn/config.ovpn'
env:
CA_CRT: ${{ secrets.CA_CRT}}
USER_CRT: ${{ secrets.USER_CRT }}
USER_KEY: ${{ secrets.USER_KEY }}
- name: Check Connect VPN
run: echo ${{ steps.connect_vpn.outputs.STATUS }}
- name: Execute ssh command via using private key
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script: |
pwd
cd ${{ secrets.REMOTE_TARGET }}
git pull
- name: kill vpn
if: always()
run: sudo killall openvpn
关注https://github.com/marketplace/actions/connect-vpn#Example-prepare-file-.ovpn:
复制标签内的数据进行base64编码,然后保存到secret env github actions
删除标签并替换为 ca ca.crt cert user.crt key user.key
我在尝试使用 Github 操作将 CI/CD 应用到我们的项目时遇到了问题。服务器有防火墙只允许访问列出的 ip。
我找到了使用Github meta api https://api.github.com/meta的方法,但他们拒绝申请。
还有其他方法可以应用吗?
我们现在的ci.yml
name: remote ssh
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: execute ssh command via using private key
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script:
pwd
就我而言,我使用 OpenVPN 访问服务器。
关于安全。我认为您不应该将文件 VPN 配置加载到 Git.
这是我的配置文件。
name: remote ssh command to deploy
on:
push:
branches: [ master ]
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Install Open VPN
run: |
sudo apt-get install openvpn
echo "${{ secrets.VPN_FILE }}" > .github/vpn/config.ovpn
- name: Connect VPN
uses: golfzaptw/action-connect-ovpn@master
id: connect_vpn
with:
PING_URL: ${{ secrets.REMOTE_HOST }}
FILE_OVPN: '.github/vpn/config.ovpn'
env:
CA_CRT: ${{ secrets.CA_CRT}}
USER_CRT: ${{ secrets.USER_CRT }}
USER_KEY: ${{ secrets.USER_KEY }}
- name: Check Connect VPN
run: echo ${{ steps.connect_vpn.outputs.STATUS }}
- name: Execute ssh command via using private key
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.REMOTE_HOST }}
username: ${{ secrets.REMOTE_USER }}
key: ${{ secrets.CICD_SSH_KEY }}
port: ${{ secrets.PORT }}
script: |
pwd
cd ${{ secrets.REMOTE_TARGET }}
git pull
- name: kill vpn
if: always()
run: sudo killall openvpn
关注https://github.com/marketplace/actions/connect-vpn#Example-prepare-file-.ovpn:
复制标签内的数据进行base64编码,然后保存到secret env github actions
删除标签并替换为 ca ca.crt cert user.crt key user.key