I setup a GitHub Actions workflow which connects to my Linux production machine via SSH using RSA keypair (the setting looks a bit like this tutorial, except I'm trying to create a dedicated Linux user for that, looks to me like it would be the good practice here).
On my Linux machine, I did:
- created a dedicated user
githubwith its RSA keypair - made the
githubuser part of the groupwww-data - change the permissions recursively of the web projects folder to 772 (users part of the
www-datagroup can read, write and execute)
On the GitHub repo side I set up the secrets SSH_PRIVATE_KEY, SSH_HOST and SSH_USER (which is github).
The GitHub Actions workflow file (the interesting steps of the workflow) look like this:
- name: Install SSH key
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY }}
name: id_rsa
known_hosts: ${{ secrets.SSH_HOST }}
- name: Adding known hosts
run: ssh-keyscan -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
- name: Copy repository to server with rsync
run: rsync -avz ./ ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/home/www/my_project/ --usermap=github:www-data
When I rsync the project folder with the githubuser and its keypair from my local machine project folder to /home/www/my_project/on my production server just for a test, everything works fine.
However, when I push on the repo and the GitHub Actions workflow is executed, the rsync steps fails on many files with the following errors on many files of my project:
rsync: [generator] failed to set times on "/home/www/my_project/app/templates/en": Operation not permitted (1)
Why?
CodePudding user response:
After a few tries comparing the permissions of the overwritten files of the server before and after rsync, I found out that the files copied from the repo by GitHub Actions didn't have the group write permission anymore, so it couldn't be written over anymore.
So we just need to set up the owner, group, files permissions and directory permissions for the copied files when copying, so that they keep the exact same rights that they had before rsync. We set directory (D) and files (F) permissions for group www-data to rwx so that the same users from the www-data group can overwrite later. All in all the rsync step becomes:
- name: Copy repository to server with rsync
run: rsync -avz --chown=github:www-data --chmod=Dg=rwx,Fg=rwx ./ ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/home/www/my_project/
Hope that can be of some help to someone else!
CodePudding user response:
The first test to do is to check if your secrets.SSH_HOST is actually reachable from a GitHub Cloud runner
run: curl -v telnet://${{ secrets.SSH_HOST }}:443
(assuming here an HTTPS URL, but replace the 443 port by one relevant to your URL)
Since the connection seems to work, try the same rsync using a GitHub Action instead of a direct run:.
For instance: Rsync Deployments Action.
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: rsync deployments
uses: burnett01/[email protected]
with:
switches: -avzr --delete
path: ./
remote_path: /home/www/my_project/
remote_host: ${{ secrets.SSH_HOST }}
remote_user: ${{ secrets.SSH_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
Check the -avzt --delete options first, to make sure they are a good fit for your use-case.