사진 추가 #172
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy-mori-soc | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| env: | |
| DEPLOY_PATH: /backup/rmstudio/mori | |
| DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} | |
| DEPLOY_PORT: ${{ secrets.DEPLOY_PORT }} | |
| DEPLOY_USER: ${{ secrets.DEPLOY_USER }} | |
| steps: | |
| # 배포 시크릿이 설정되지 않은 저장소(포크/데모)에서는 전체 스킵 → job 초록. | |
| # 시크릿은 job-level if 에서 참조 불가하므로 첫 스텝에서 게이트를 만든다. | |
| - name: Check deploy secret configured | |
| id: guard | |
| run: | | |
| if [ -z "${{ secrets.DEPLOY_SSH_KEY }}" ]; then | |
| echo "::notice::DEPLOY_SSH_KEY is not configured — skipping deploy (expected on unconfigured repos)." | |
| echo "run=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "run=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Checkout | |
| if: steps.guard.outputs.run == 'true' | |
| uses: actions/checkout@v4 | |
| - name: Start SSH agent | |
| if: steps.guard.outputs.run == 'true' | |
| uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.DEPLOY_SSH_KEY }} | |
| - name: Add SSH known hosts | |
| if: steps.guard.outputs.run == 'true' | |
| run: | | |
| mkdir -p ~/.ssh | |
| if [ -n "${{ secrets.DEPLOY_KNOWN_HOSTS }}" ]; then | |
| printf '%s\n' "${{ secrets.DEPLOY_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts | |
| else | |
| ssh-keyscan -p "$DEPLOY_PORT" "$DEPLOY_HOST" >> ~/.ssh/known_hosts | |
| fi | |
| - name: Ensure remote path exists | |
| if: steps.guard.outputs.run == 'true' | |
| run: ssh -p "$DEPLOY_PORT" "$DEPLOY_USER@$DEPLOY_HOST" "mkdir -p '$DEPLOY_PATH'" | |
| - name: Sync repository | |
| if: steps.guard.outputs.run == 'true' | |
| run: | | |
| rsync -az --delete \ | |
| --exclude '.git/' \ | |
| --exclude '.env' \ | |
| --exclude 'certs/' \ | |
| --exclude 'reports/' \ | |
| --exclude 'config/wazuh_indexer_ssl_certs/' \ | |
| ./ "$DEPLOY_USER@$DEPLOY_HOST:$DEPLOY_PATH/" | |
| - name: Upload deployment env | |
| if: steps.guard.outputs.run == 'true' | |
| env: | |
| DEPLOY_ENV_FILE: ${{ secrets.DEPLOY_ENV_FILE }} | |
| run: | | |
| printf '%s' "$DEPLOY_ENV_FILE" | \ | |
| ssh -p "$DEPLOY_PORT" "$DEPLOY_USER@$DEPLOY_HOST" "cat > '$DEPLOY_PATH/.env'" | |
| - name: Run remote deploy | |
| if: steps.guard.outputs.run == 'true' | |
| run: | | |
| ssh -p "$DEPLOY_PORT" "$DEPLOY_USER@$DEPLOY_HOST" <<EOF | |
| set -e | |
| cd "$DEPLOY_PATH" | |
| mkdir -p certs reports config/wazuh_indexer_ssl_certs | |
| if [ ! -f config/wazuh_indexer_ssl_certs/root-ca.pem ]; then | |
| docker compose -f generate-indexer-certs.yml run --rm generator | |
| fi | |
| docker compose pull | |
| docker compose up -d --remove-orphans | |
| docker compose ps | |
| EOF |