fix: use env var for vault password to avoid interpolation issues #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Ansible Deployment | |
| on: | |
| push: | |
| branches: [master, lab06] | |
| paths: | |
| - 'ansible/**' | |
| - '!ansible/docs/**' | |
| - '.github/workflows/ansible-deploy.yml' | |
| pull_request: | |
| branches: [master] | |
| paths: | |
| - 'ansible/**' | |
| - '.github/workflows/ansible-deploy.yml' | |
| jobs: | |
| lint: | |
| name: Ansible Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Ansible and ansible-lint | |
| run: pip install ansible ansible-lint | |
| - name: Write vault password | |
| env: | |
| VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} | |
| run: printf '%s' "$VAULT_PASS" > ansible/.vault_pass | |
| - name: Run ansible-lint | |
| run: | | |
| cd ansible | |
| ansible-lint playbooks/provision.yml playbooks/deploy.yml playbooks/site.yml | |
| - name: Cleanup | |
| if: always() | |
| run: rm -f ansible/.vault_pass | |
| deploy: | |
| name: Deploy Application | |
| needs: lint | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/master' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Ansible | |
| run: pip install ansible | |
| - name: Install collections | |
| run: ansible-galaxy collection install community.docker community.general | |
| - name: Configure SSH | |
| run: | | |
| mkdir -p ~/.ssh | |
| printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa | |
| chmod 600 ~/.ssh/id_rsa | |
| ssh-keyscan -H "${{ secrets.VM_HOST }}" >> ~/.ssh/known_hosts | |
| - name: Write vault password | |
| env: | |
| VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} | |
| run: printf '%s' "$VAULT_PASS" > /tmp/vault_pass | |
| - name: Deploy | |
| run: | | |
| cd ansible | |
| ansible-playbook playbooks/deploy.yml --vault-password-file /tmp/vault_pass | |
| - name: Cleanup vault pass | |
| if: always() | |
| run: rm -f /tmp/vault_pass | |
| - name: Verify health | |
| run: sleep 10 && curl -f "http://${{ secrets.VM_HOST }}:5000/health" |