homelab/action-common-setup
0
0
Fork 0
Code Issues 1 Pull requests Releases 8 Activity Actions
action-common-setup/action.yml

127 lines
4.5 KiB
YAML
Raw Permalink Blame History

name: Homelab Common GitHub Actions Setup
description: |
Configure a handful of common required steps for all homelab related tasks.
inputs:
JWK_PASSWORD:
description: Password for provisioning temporary certificates from https://ca.auengun.net
default: ${{ secrets.JWK_PASSWORD }}
SUBMODULE_UPDATE:
description: Whether or not to update submodules after clone.
default: true
runs:
using: "composite"
steps:
- shell: bash
run: |
echo "::group::Starting SSH Agent"
if command -v ssh-agent &> /dev/null; then
ssh_env=$(ssh-agent)
eval $ssh_env
{
printf $ssh_env | grep -v "echo" | xargs -I {} sh -c 'echo "{}" | cut -f "1" -d ";"'
} >> "$GITHUB_ENV"
fi
echo "::endgroup::"
- shell: bash
env:
# renovate: datasource=github-releases depName=smallstep/cli
STEP_VERSION: v0.26.2
run: |
echo "::group::Step CLI"
if ! command -v step &> /dev/null; then
echo "::group::Installing step-cli binary as \`step\`"
mkdir ./step
export STEP_URL="https://github.com/smallstep/cli/releases/download/${STEP_VERSION}/step_linux_${STEP_VERSION##v}_amd64.tar.gz"
if command -v curl &> /dev/null; then
curl -s "$STEP_URL" -L -o - | tar xvz --strip-components=1 -C ./step
elif command -v wget &> /dev/null; then
wget -qO- "$STEP_URL" | tar xvz --strip-components=1 -C ./step
else
exit 1
fi
cp ./step/bin/step /usr/local/bin
fi
echo "::endgroup::"
- shell: bash
run: |
echo "::group::Bootstrapping Local Environment"
step ca bootstrap \
--ca-url https://ca.auengun.net \
--fingerprint eb6f15f882249747976e1420e152ece79a6d9d62600acca65bca63b20e60f5ff \
--force
# Git
git config --global http."https://git.auengun.net/".sslCAInfo $HOME/.step/certs/root_ca.crt
# System Certs
if [ -w /usr/local/share/ca-certificates/ ]; then
cp $HOME/.step/certs/root_ca.crt /usr/local/share/ca-certificates/SPM_Root_CA.crt
if command -v update-ca-certificates &> /dev/null; then
update-ca-certificates
else
echo "[WARN] Unable to find update-ca-certificates to system trust store."
fi
else
echo "[WARN] Unable to write certificates to system trust store."
fi
if [ -f $HOME/.step/certs/root_ca.crt ]; then
echo "[INFO] SPM Homelab Certificates available locally at:\\n$HOME/.step/certs/root_ca.crt"
else
echo "[ERROR] unable to find '$HOME/.step/certs/root_ca.crt'"
fi
echo "Completed bootstrapping"
echo "::endgroup::"
- shell: bash
run: |
# todo: Rewrite the auth flow to use an internal runner-only service
# that takes the workflow one-time TOKEN and exchanges it for an
# appropriately scoped certificate with principals etc.
[ -z "$INPUT_JWK_PASSWORD" ] && echo "No JWK_PASSWORD provided -- skipping rest of setup." > /dev/stderr && exit 0
echo "::group::attempting to provision an ssh identity certificate"
export JWK_PASSWORD_PATH=~/.step/JWK_PASSWORD
while read -r line; do
echo "::add-mask::${line}"
done <<< "$INPUT_JWK_PASSWORD"
set -x
echo "$INPUT_JWK_PASSWORD" > "$JWK_PASSWORD_PATH"
chmod 600 "$JWK_PASSWORD_PATH"
mkdir -p ~/.ssh/
chmod '0700' ~/.ssh/
step ssh certificate \
${{ github.actor }} \
--principal ${{ github.actor }} \
--principal root \
--principal ubuntu \
~/.ssh/id_ecdsa \
--provisioner-password-file "$JWK_PASSWORD_PATH" \
--issuer jwk_cicd \
--insecure \
--no-password && rm -f "$JWK_PASSWORD_PATH"
if [ -f "$JWK_PASSWORD_PATH" ]; then echo "couldn't safely purge JWK password"; exit 1; fi
step ssh config
echo "::endgroup::"
- name: Clone Repo into Workspace
uses: https://git.auengun.net/actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
github-server-url: https://git.auengun.net
persist-credentials: true
- name: Submodule Update
shell: bash
run: |
if [ "$INPUT_SUBMODULE_UPDATE" == "true" ]; then
echo "::group::Submodule clone & initialization"
git submodule update --init --recursive
echo "::endgroup::"
fi
Reference in a new issue View git blame Copy permalink