pez-infra/.github/workflows/_deploy-core.yml
dependabot[bot] 352bfbe3bc
chore(deps): bump the github-actions group with 2 updates
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/cache](https://github.com/actions/cache).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

Updates `actions/cache` from 5 to 6
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 16:04:43 +00:00

91 lines
2.5 KiB
YAML

name: Deploy (core)
on:
workflow_call:
inputs:
host:
required: true
type: string
playbook:
required: true
type: string
dry_run:
required: false
type: boolean
default: false
secrets:
TAILSCALE_CLIENT_ID:
required: true
TAILSCALE_AUDIENCE:
required: true
SSH_PRIVATE_KEY:
required: true
AGE_SECRET_KEY:
required: true
jobs:
deploy:
name: Deploy ${{ inputs.playbook }} → ${{ inputs.host }}
runs-on: ubuntu-latest
environment: production
permissions:
id-token: write
steps:
- uses: actions/checkout@v7
- name: Cache pip packages
uses: actions/cache@v6
with:
path: ~/.cache/pip
key: pip-ansible
- name: Cache Ansible collections
uses: actions/cache@v6
with:
path: ~/.ansible
key: ansible-galaxy-${{ hashFiles('ansible/requirements.yml') }}
- name: Set up Tailscale
uses: tailscale/github-action@v4
with:
oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
audience: ${{ secrets.TAILSCALE_AUDIENCE }}
tags: tag:ci
- name: Set up SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
HOST_IP=$(grep "^${{ inputs.host }}[[:space:]]" ansible/inventory/hosts.ini | grep -o 'ansible_host=[^ ]*' | cut -d= -f2)
if [ -n "$HOST_IP" ]; then
ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null || true
fi
- name: Install Ansible
run: pip install ansible
- name: Install Ansible collections
run: ansible-galaxy install -r ansible/requirements.yml
- name: Decrypt secrets
uses: ./.github/actions/sops-decrypt
with:
age-key: ${{ secrets.AGE_SECRET_KEY }}
- name: Run playbook
working-directory: ansible/
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
run: |
PLAYBOOK="${{ inputs.playbook }}"
PLAYBOOK="${PLAYBOOK#playbooks/}"
PLAYBOOK="${PLAYBOOK%.yml}.yml"
if [ "$PLAYBOOK" != "deploy.yml" ]; then
PLAYBOOK="playbooks/$PLAYBOOK"
fi
ARGS="--limit ${{ inputs.host }}"
if [ "${{ inputs.dry_run }}" = "true" ]; then
ARGS="$ARGS --check --diff"
fi
ansible-playbook "$PLAYBOOK" $ARGS