feat: Add pull request workflow with SSH host validation and deployment checks #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nt checks - Created `.github/workflows/pull_request.yml` to handle pull request events on the `main` branch. - Integrated matrix strategy to test across macOS, Ubuntu, and Windows platforms. - Added `check.sh` to verify the existence of a populated `known_hosts` file before deployment. - Added `post_check.sh` to ensure the `known_hosts` file is removed after the job for security. - Included test deployment of a `whoami` container to validate Docker host setup. - Utilized `pyTooling/Actions/with-post-step` to streamline pre- and post-check scripts. - Added support for private SSH keys and `known_hosts` configuration using the custom SSH action.
- Changed `WHOAMI_VERSION` to use the full SHA256 hash instead of a simple version tag. - Adjusted `docker run` command to reference the updated `$WHOAMI_VERSION` variable.
- Replaced shorthand `-d -P` options with explicit `--detach --publish-all` flags.
- Ensured `${WHOAMI_VERSION}` is used for clarity and consistency in variable referencing.
- Added `mkdir -p` command to create the directory for `SSH_KNOWN_HOSTS_FILE` if it does not exist. - Prevents errors when attempting to write to a non-existent directory.
- Introduced a conditional step to install Docker on macOS runners. - Utilized `brew` for Docker installation and `colima` for environment setup.
- Added a pre-setup step for SSH known hosts using a post-check mechanism. - Updated `check.sh` execution to occur in a dedicated shell step. - Optimized logic for Docker installation on macOS.
- Added `set -e` to `action.sh` for immediate exit on error. - Improved log notices for created known hosts files. - Adjusted conditional checks in `check.sh` and `post_check.sh` to use `[[` for better compatibility.
- Added `chmod 600` to `action.sh` to secure the `known_hosts` file by restricting access permissions.
Renamed the workflow step Setup post check known hosts to Check known hosts in .github/workflows/pull_request.yml for improved clarity and alignment with the task performed by the check.sh script.
Removed the default value rsa for the ssh-key-type input in action.yml to ensure explicit specification of key types when using the action. This change allows greater flexibility and avoids assumptions about the default SSH key type.
Moved the ssh-agent setup step earlier in the workflow to ensure SSH credentials are available before invoking subsequent scripts. Removed redundant ssh-agent step at the end of the workflow to streamline execution.
…yment • Replaced direct script executions with sh for consistency across different environments. • Introduced deploy.sh to encapsulate deployment logic, improving maintainability and reusability. • Removed inline deployment commands from the workflow to streamline and declutter the YAML file. • Enhanced readability and consistency across all script invocations in the workflow.
• Replaced inline exit 0 with a dedicated noop.sh script for better modularity and readability. • Updated workflow configuration to call noop.sh, ensuring consistency in no-operation handling. • Improved maintainability by isolating no-operation logic in a separate file.
• Updated all scripts (action.sh, check.sh, deploy.sh, post_action.sh, post_check.sh) to use sh instead of bash. • Ensured compatibility across environments by replacing bash-specific syntax with POSIX-compliant alternatives. • Improved maintainability by standardizing the shebang to #!/usr/bin/env sh.
• Replaced hardcoded ~/.ssh/known_hosts with ${HOME}/.ssh/known_hosts in check.sh and post_check.sh.
• Ensures compatibility with environments where $HOME may differ from the default user directory.
• Maintains clarity and consistency across script file path handling.
warnyul
force-pushed
the
ci
branch
2 times, most recently
from
05a0fa9 to
9f3e07e
Compare
• Defined SSH_KNOWN_HOSTS_FILE in action.sh to explicitly use ${HOME}/.ssh/known_hosts.
• Removed hardcoded references to SSH_KNOWN_HOSTS_FILE in action.yml and ensured dynamic handling in action.sh.
• Commented out the removal of known_hosts in post_action.sh and post_check.sh for further review and potential debugging.
• Improved cleanup logic by unsetting SSH_KNOWN_HOSTS_FILE in action.sh to avoid lingering environment variables.
• Updated WHOAMI_VERSION to use the semantic version v1.10 instead of the hash-based identifier. • Ensured consistent formatting for ease of understanding and maintainability.
…mline post-cleanup logic
• deploy.sh:
• Parameterized container naming using ${RUNNER_OS} for clarity in multi-platform scenarios.
• Added unset for WHOAMI_VERSION and CONTAINER_NAME to ensure no residual environment variables.
• post_action.sh:
• Commented out unnecessary rm and related notices, retaining placeholder for future cleanup logic.
These changes improve maintainability, adaptability for diverse environments, and ensure clean execution contexts.
… noop script action.sh: • Improved SSH keyscan logic to filter comments from known hosts. • Removed redundant chmod as it’s handled implicitly. • Ensured unset for SSH_KNOWN_HOSTS_FILE for cleanup. post_action.sh: • Introduced logic to clean up the last entry in known_hosts. • Improved clarity and consistency with explicit unset for temporary variables. post_check.sh: • Added a check to validate known_hosts does not retain specific SSH fingerprints post-execution. • pull_request.yml: • Simplified steps by merging noop logic into the post-check script. • Removed noop.sh, ensuring streamlined workflow execution. These updates enhance security, maintain clean execution contexts, and reduce redundant scripting.
• Defined SSH_KNOWN_HOSTS_FILE explicitly in post_action.sh for clarity and consistency. • Maintained existing temporary file logic for truncating the last line from the known_hosts file. • Improved readability by ensuring all required variables are explicitly initialized within the script.
• Replaced head --lines=-1 with sed '$ d' to remove the last line from SSH_KNOWN_HOSTS_FILE. • Ensured compatibility and consistency in processing the known_hosts file. • Simplified command usage while maintaining functionality.
• Removed unnecessary file argument in the sed command. • Ensured the correct syntax is used for processing the SSH_KNOWN_HOSTS_FILE. • Improved reliability and accuracy of the script by properly handling file processing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
.github/workflows/pull_request.ymlto handle pull request events on themainbranch.check.shto verify the existence of a populatedknown_hostsfile before deployment.post_check.shto ensure theknown_hostsfile is removed after the job for security.whoamicontainer to validate Docker host setup.pyTooling/Actions/with-post-stepto streamline pre- and post-check scripts.known_hostsconfiguration using the custom SSH action.