Tuesday, September 27, 2022

[FIXED] How to execute command from Github Action via SSH into whitelisted server?

      ,      No comments   

Issue

I met a problem when trying to apply CI/CD into our project using Github Action. The server has the firewall to enable access for a listed ip only.

I have found a method by using Github meta api https://api.github.com/meta but they denied to apply.

Is there any other way to apply this?

Our current ci.yml

name: remote ssh
on:
  push:
    branches: [ master ]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: execute ssh command via using private key
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.REMOTE_HOST }}
          username: ${{ secrets.REMOTE_USER }}
          key: ${{ secrets.CICD_SSH_KEY }}
          port: ${{ secrets.PORT }}
          script:
            pwd

Solution

In my case, I use an OpenVPN to access to the server.

About security. I think you should not load file VPN config to Git.

This is my config file.

name: remote ssh command to deploy
on:
  push:
    branches: [ master ]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1

      - name: Install Open VPN
        run: |
          sudo apt-get install openvpn
          echo "${{ secrets.VPN_FILE }}" > .github/vpn/config.ovpn

      - name: Connect VPN
        uses: golfzaptw/action-connect-ovpn@master
        id: connect_vpn
        with:
          PING_URL: ${{ secrets.REMOTE_HOST }}
          FILE_OVPN: '.github/vpn/config.ovpn'
        env:
          CA_CRT: ${{ secrets.CA_CRT}}
          USER_CRT: ${{ secrets.USER_CRT }}
          USER_KEY: ${{ secrets.USER_KEY }}

      - name: Check Connect VPN
        run: echo ${{ steps.connect_vpn.outputs.STATUS }}

      - name: Execute ssh command via using private key
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.REMOTE_HOST }}
          username: ${{ secrets.REMOTE_USER }}
          key: ${{ secrets.CICD_SSH_KEY }}
          port: ${{ secrets.PORT }}
          script: |
            pwd
            cd ${{ secrets.REMOTE_TARGET }}
            git pull

      - name: kill vpn
        if: always()
        run: sudo killall openvpn

Follow https://github.com/marketplace/actions/connect-vpn#Example-prepare-file-.ovpn:

  1. Copy data inside tag to encode base64 after that save to secret env github actions

  2. Remove tag and replace to ca ca.crt cert user.crt key user.key



Answered By - Minh Quan Đức Lương
Answer Checked By - Dawn Plyler (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...