feat: git push support #21
Conversation
neurosnap
force-pushed
the
git-push-support
branch
from
b464bc4 to
7adfee1
Compare
entrypoint.sh
Outdated
| REMOTE_URL="root@$INPUT_GIT_REMOTE:$INPUT_ENVIRONMENT/$INPUT_APP.git" | ||
| git remote add aptible ${REMOTE_URL} | ||
| BRANCH="deploy-$(date "+%s")" | ||
| GIT_SSH_COMMAND="ssh -o SendEnv=ACCESS_TOKEN -o PubkeyAuthentication=no -o StrictHostKeyChecking=no -p 43022" git push aptible "main:$BRANCH" |
There was a problem hiding this comment.
"main:$BRANCH" needs to change to whatever branch is currently checked out.
| To use this image, you should use another workflow step to publish your image to | ||
| a Docker image registry (for example | ||
| [Docker's](https://github.com/marketplace/actions/build-and-push-docker-images)). |
There was a problem hiding this comment.
Future Improvement: It may be useful to provide an example of how to build and push to the repo's GitHub packages registry since my understanding is it should "just work" without any external setup.
There was a problem hiding this comment.
I think you are right, but can we look into this after this is deployed?
There was a problem hiding this comment.
Yeah, that's why I marked it as "Future Improvement".
action.yml
Outdated
| git_remote: | ||
| description: 'Aptible git remote domain' | ||
| required: False | ||
| default: elb-aptible-us-east-1-81550.aptible.in |
There was a problem hiding this comment.
Why use the internal domain and not either git.aptible.com or beta.aptible.com since those are much more likely to stay static?
There was a problem hiding this comment.
That's my bad. Eric asked me what the hostname for primetime was and I didn't see a user domain on it so I just gave him the internal hostname. I overlooked the possibility of using a custom cert which would cause the endpoint to not have user domain. We should use git.aptible.com.
There was a problem hiding this comment.
We should use primetime.aptible.com, since it's a different service than Megatron (git.aptible.com).
There was a problem hiding this comment.
Or no certificate because it's using ssh not http 🤦
There was a problem hiding this comment.
primetime.aptible.com ?
Is that what we should use for a git push?
There was a problem hiding this comment.
We should use primetime.aptible.com, since it's a different service than Megatron (git.aptible.com).
Is that the right service to push to? Normally a user would push to beta.aptible.com or git.aptible.com which both point to megatron, right?
There was a problem hiding this comment.
We are interfacing directly with primetime in order to perform a git push using just an Aptible token. This makes this paradigm more visible to the outside world, something to think about.
Alex is right I glossed over that
entrypoint.sh
Outdated
| REMOTE_URL="root@$INPUT_GIT_REMOTE:$INPUT_ENVIRONMENT/$INPUT_APP.git" | ||
| git remote add aptible ${REMOTE_URL} | ||
| REMOTE_BRANCH="deploy-$(date "+%s")" | ||
| GIT_SSH_COMMAND="ssh -o SendEnv=ACCESS_TOKEN -o PubkeyAuthentication=no -o StrictHostKeyChecking=no -p 43022" git push aptible "$GITHUB_BRANCH:$REMOTE_BRANCH" |
There was a problem hiding this comment.
StrictHostKeyChecking=no
We should not skip hostkey checking from a location outside of our control, eg GHA runners. (this will necessitate persisting it between deployments of Primetime with a PersistentDisk)
There was a problem hiding this comment.
Updated. Will have to re-test this to make sure it all works still
|
We might add an extra note about 'Breaking changes' in the release notes and call out that existing users need to add the 'type: docker' option |
BREAKING CHANGE: `type` is now required (choices: `git` or `docker`)
FEAT
git pushBREAKING CHANGES
typeis now required (choices:gitordocker)Approach
We tried to make this as congruent as possible with the current Direct Docker Image Deploy strategy. In that effort, we wanted to support
git pushwithout requiring yet another authentication secret -- the SSH private key -- so we had to jump through some hoops to use our Aptible access token for pushing to our git remote.Security Considerations
We are interfacing directly with
primetimein order to perform agit pushusing just an Aptible token. This makes this paradigm more visible to the outside world, something to think about.