英文:
github action is running on feature branches and it should only run on main branch or release branch
问题
我有以下 GitHub 操作,即使我创建了一个名称不是 main,master 或 release 的特性分支,它也会运行该操作。
我做错了什么?
# 请参考 https://raw.githubusercontent.com/zellwk/zellwk.com/master/.github/workflows/deploy.yml
name: deploy
on:
push:
branches:
- main
- master
- release
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
- name: 安装 SSH 密钥
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY }}
known_hosts: unnecessary
- name: 添加已知主机
run: ssh-keyscan -p ${{ secrets.SSH_PORT}} -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
- name: 为发布设置环境文件和 jwk.json
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
run: |
echo "${{secrets.PRODUCTION_ENV }}" >> .env.prod
ln -sf .env.prod .env
echo "${{secrets.PRODUCTION_JWK}}" | base64 --decode >> jwk.json
- name: 为开发设置环境文件和 jwk.json
if: ${{ !contains(github.ref_name, 'release') || github.ref != 'refs/heads/release' }}
run: |
echo "${{secrets.DEVELOPMENT_ENV }}" >> .env.dev
ln -sf .env.dev .env
echo "${{secrets.DEVELOPMENT_JWK}}" | base64 --decode >> jwk.json
- name: 发布发布版使用 rsync
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
# 来自 ./bin/deploy.sh
run: rsync -azvP -e "ssh -p ${{ secrets.SSH_PORT }}" --delete --exclude=node_modules --exclude=redis-data --exclude=.idea --exclude=.git --exclude=mongo_data --exclude=data01 --exclude=uploads --exclude=emails.txt --exclude=main --exclude=deno --exclude=app --exclude=database.sqlite --exclude=database.sqlite-journal --exclude=data ./ ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:www/${{secrets.HOST_PATH_PROD}}/${{secrets.HOST_PROJECT}}
- name: 发布开发版使用 rsync
if: ${{ !contains(github.ref_name, 'release') && github.ref != 'refs/heads/release' }}
# 来自 ./bin/deploy.sh
run: rsync -azvP -e "ssh -p ${{ secrets.SSH_PORT }}" --delete --exclude=node_modules --exclude=redis-data --exclude=.idea --exclude=.git --exclude=mongo_data --exclude=data01 --exclude=uploads --exclude=emails.txt --exclude=main --exclude=deno --exclude=app --exclude=database.sqlite --exclude=database.sqlite-journal --exclude=data ./ ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}
- name: 发布后脚本用于发布版
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
# 来自 ./bin/deploy.sh
run: ssh -t ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} -p ${{secrets.SSH_PORT}} $HOME/www/${{secrets.HOST_PATH_PROD}}/${{secrets.HOST_PROJECT}}/bin/post-deploy.sh
- name: 发布后脚本用于开发版
if: ${{ !contains(github.ref_name, 'release') && github.ref != 'refs/heads/release' }}
# 来自 ./bin/deploy.sh
run: ssh -t ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} -p ${{secrets.SSH_PORT}} $HOME/www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}/bin/post-deploy.sh
它不应该在推送到不同分支(如:feature1)时运行该操作。
英文:
I have the following github action and it runs the action even if I create a feature branch with a name other than main, master, or release
What am I doing wrong?
#see https://raw.githubusercontent.com/zellwk/zellwk.com/master/.github/workflows/deploy.yml
name: deploy
on:
push:
branches:
- main
- master
- release
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
- name: Install SSH Key
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY }}
known_hosts: unnecessary
- name: Adding Known Hosts
run: ssh-keyscan -p ${{ secrets.SSH_PORT}} -H ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts
- name: Set env file and jwk.json for release
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
run: |
echo "${{secrets.PRODUCTION_ENV }}" > .env.prod
ln -sf .env.prod .env
echo "${{secrets.PRODUCTION_JWK}}" | base64 --decode > jwk.json
- name: Set env file and jwk.json for development
if: ${{ !contains(github.ref_name, 'release') || github.ref != 'refs/heads/release' }}
run: |
echo "${{secrets.DEVELOPMENT_ENV }}" > .env.dev
ln -sf .env.dev .env
echo "${{secrets.DEVELOPMENT_JWK}}" | base64 --decode > jwk.json
- name: Deploy with rsync for release
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
# from ./bin/deploy.sh
run: rsync -azvP -e "ssh -p ${{ secrets.SSH_PORT }}" --delete --exclude=node_modules --exclude=redis-data --exclude=.idea --exclude=.git --exclude=mongo_data --exclude=data01 --exclude=uploads --exclude=emails.txt --exclude=main --exclude=deno --exclude=app --exclude=database.sqlite --exclude=database.sqlite-journal --exclude=data ./ ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:www/${{secrets.HOST_PATH_PROD}}/${{secrets.HOST_PROJECT}}
# run: rsync -avz -e "ssh -p ${{ secrets.SSH_PORT }}" ./dist/ ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/var/www/zellwk.com/
- name: Deploy with rsync for development
if: ${{ !contains(github.ref_name, 'release') && github.ref != 'refs/heads/release' }}
# from ./bin/deploy.sh
run: rsync -azvP -e "ssh -p ${{ secrets.SSH_PORT }}" --delete --exclude=node_modules --exclude=redis-data --exclude=.idea --exclude=.git --exclude=mongo_data --exclude=data01 --exclude=uploads --exclude=emails.txt --exclude=main --exclude=deno --exclude=app --exclude=database.sqlite --exclude=database.sqlite-journal --exclude=data ./ ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}}:www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}
- name: Post-Deploy script for release
if: ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }}
# from ./bin/deploy.sh
run: ssh -t ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} -p ${{secrets.SSH_PORT}} \$HOME/www/${{secrets.HOST_PATH_PROD}}/${{secrets.HOST_PROJECT}}/bin/post-deploy.sh
- name: Post-Deploy script for development
if: ${{ !contains(github.ref_name, 'release') && github.ref != 'refs/heads/release' }}
# from ./bin/deploy.sh
run: ssh -t ${{secrets.SSH_USER}}@${{secrets.SSH_HOST}} -p ${{secrets.SSH_PORT}} \$HOME/www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}/bin/post-deploy.sh
# - name: Restart App Server
# uses: appleboy/ssh-action@master
# with:
# host: ${{ secrets.SSH_HOST }}
# username: ${{ secrets.SSH_USER }}
# key: ${{ secrets.SSH_PRIVATE_KEY }}
# port: ${{ secrets.SSH_PORT }}
# debug: true
# # from ./bin/post-deploy.sh
# # if [ ${{ contains(github.ref_name, 'release') || github.ref == 'refs/heads/release' }} ]; then
# # else
# # cd $HOME/www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}
# # deno upgrade
# # sudo /etc/init.d/nginx reload
# # sudo systemctl daemon-reload
# # sudo systemctl restart ${{secrets.META_SERVICE_DEV}}
# # fi
# script: |
# cd $HOME/www/${{secrets.HOST_PATH_DEV}}/${{secrets.HOST_PROJECT}}
# deno upgrade
# sudo /etc/init.d/nginx reload
# sudo systemctl daemon-reload
# sudo systemctl restart ${{secrets.META_SERVICE_DEV}}
it shouldn't run the action on push to a different branch ie: feature1
答案1
得分: 1
以下是已翻译的内容:
有两个事情正在发生。尽管你已经在主/主分支中更新了YAML文件,但现有的分支可能有一个没有过滤器的YAML文件的副本。你可以通过将新的YAML文件cherry-pick到现有的分支中来修复这个问题。
另一件事是你可以定义一个环境,并在YAML文件中添加一个environment: xxxxx,以及一个环境上的分支过滤器。这将阻止人们针对该环境运行部署作业。
在你的存储库设置中,导航到environments,添加一个环境(任何名称都可以),然后将Deployment branches设置为Selected branches,然后使用➕ Add Deployment Branch将你想要允许的分支添加到列表中。
通过将所有的生产密钥放在Environment Secrets列表中,而不是Repository Secrets中,你还可以防止其他人从任何不特定目标这个环境的工作流中访问这些密钥。
英文:
There are 2 things going on. Even though you've updated the YAML file in the main/master branch, it's likely that existing branches have a copy of the YAML file without the filter. You can fix that by cherry-picking the new YAML file into the existing branches.
The other thing you can do is define an Environment and add an environment: xxxxx to the YAML file and a branch filter on the environment. That will prevent people from running the deploy job against the environment.
In your repository settings, navigate to environments add an environment (any name will do) and then set the Deployment branches to Selected branches and then add the list of branches you want to allow to the list using the ➕ Add Deployment Branch.
By putting all the production secrets in the list of Environment Secrets instead of the Repository Secrets you also prevent others from accessing these from any workflow that doesn't specifically target this environment.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论