Skip to content

WIP: Add semi automatic deployments

Sven-Hendrik Haase requested to merge add-semi-automatic-deployments into pu

The idea is to always deploy to dev if the pipeline succeeds and to offer the option to deploy to production manually if the master pipeline succeeds. I also suggest changing the branch names to be a bit more intuitive: develop would be the new integration branch which would automatically deploy to aur-dev.archlinux.org upon successful completion while master would be semi-automatic and the authorized developer would manually have to click deploy upon successful testing completion.

The "automatic" part would work like this:

  • The script part runs ssh deployme@aur.archlinux.org.
  • The runner would use a secret-injected private key id_rsa to make this connection to the deployme user on the other machine.
  • The other machine's deployme user would have the corresponding public key in a command-limited entry in its .ssh/authorized_keys file that would look like this: command="/path/to/aurweb/deploy/deployme.sh" <public key> GitLab automatic deployments aur.archlinux.org key.

Both branches would be protected so only a limited number of people can merge stuff to it. Additionally, the production environment would be protected and only a few hand-picked developers would even be able to deploy to it: https://docs.gitlab.com/ee/ci/environments/protected_environments.html

The command-restricted SSH keys ensure that even if somehow the private key would be exposed, all the attacker could do is keep deploying AUR.

Edited by Sven-Hendrik Haase

Merge request reports

Loading