add csp hash #72
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy MSK Scripts Docs | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| # Needed to post a legacy commit status under context "CI" so that | |
| # PR-management UIs that only read the older Statuses API (rather | |
| # than the newer Check-Runs API) show the merge commits as green | |
| # instead of stuck-on-pending. | |
| statuses: write | |
| jobs: | |
| build-and-deploy: | |
| name: Build & Deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: ⬇️ Checkout Repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: 🟢 Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: yarn | |
| - name: 📦 Install Dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: 🏗️ Build Project | |
| run: yarn build | |
| - name: 🚀 Deploy to Server via SFTP | |
| uses: appleboy/scp-action@master | |
| with: | |
| host: ${{ secrets.FTP_SERVER }} | |
| username: ${{ secrets.FTP_USERNAME }} | |
| key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| port: ${{ secrets.FTP_PORT }} | |
| source: "build/*" | |
| target: "/var/www/html/docs_msk-scripts/" | |
| strip_components: 1 | |
| - name: 🛠️ Setze Datei-Besitzer + aktualisiere CSP-Snippet | |
| uses: appleboy/ssh-action@master | |
| with: | |
| host: ${{ secrets.FTP_SERVER }} | |
| username: ${{ secrets.FTP_USERNAME }} | |
| key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| port: ${{ secrets.FTP_PORT }} | |
| script: | | |
| # Datei-Besitzer auf www-data setzen | |
| chown -R www-data:www-data /var/www/html/docs_msk-scripts/ | |
| # CSP-Hash-Snippet aus dem Build nach Apache-Snippets übernehmen | |
| # und Apache neu laden, damit die neuen Hashes greifen. | |
| # Vorausgesetzt: sudo NOPASSWD für die folgenden Befehle. | |
| # Siehe apache/README.md. | |
| sudo /bin/cp /var/www/html/docs_msk-scripts/csp-hashes.conf /etc/apache2/snippets/docu-csp-hashes.conf | |
| sudo /bin/chown root:root /etc/apache2/snippets/docu-csp-hashes.conf | |
| sudo /bin/systemctl reload apache2 | |
| - name: ✅ Post CI commit status (legacy API) | |
| if: always() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const state = '${{ job.status }}' === 'success' ? 'success' : 'failure'; | |
| await github.rest.repos.createCommitStatus({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| sha: context.sha, | |
| state, | |
| context: 'CI', | |
| description: | |
| state === 'success' | |
| ? 'Build + deploy green' | |
| : 'Build or deploy failed — see workflow logs', | |
| target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`, | |
| }); |