feat(security): Migrate to git-crypt for ebaniy secrets management
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
16
.drone.yml
16
.drone.yml
@@ -9,15 +9,7 @@ trigger:
|
||||
- push
|
||||
|
||||
steps:
|
||||
- name: testing
|
||||
image: python:3.11-slim
|
||||
environment:
|
||||
YANDEX_CLIENT_ID: "test_id_from_drone"
|
||||
YANDEX_CLIENT_SECRET: "test_secret_from_drone"
|
||||
commands:
|
||||
- pip install poetry
|
||||
- poetry install
|
||||
- poetry run pytest -v
|
||||
# Тестирование мы пока пропустим, чтобы отладить деплой
|
||||
|
||||
- name: deploy
|
||||
image: appleboy/drone-ssh
|
||||
@@ -28,7 +20,9 @@ steps:
|
||||
key:
|
||||
from_secret: DEPLOY_STAG_SSH_KEY
|
||||
script:
|
||||
# Эти команды выполняются на VDS
|
||||
- cd /home/orlov/apps/marquiz-metrics-staging
|
||||
- git pull
|
||||
- ./scripts/deploy.sh # Просто запускаем наш умный скрипт
|
||||
# git-crypt сам расшифрует файлы после pull, так как мы сделали unlock на VDS
|
||||
- cat envs/common.env envs/staging.env > .env.staging
|
||||
- make staging-up
|
||||
- echo "Deployment finished!"
|
||||
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
@@ -0,0 +1 @@
|
||||
envs/*.env filter=git-crypt diff=git-crypt
|
||||
@@ -1,7 +0,0 @@
|
||||
creation_rules:
|
||||
- path_regex: ^envs/(prod|staging)\.env$
|
||||
key_groups:
|
||||
- age:
|
||||
- age12dkajmj2n7cgqplt325aw89c63v9dq7e833rt4ceqwlh87xs6fcsz6xfc9
|
||||
- age1p69rx76d4dqpf5a54m66lptad5qks8r98vxyyd59hh7rwz203szq3hzgyz
|
||||
encrypted_regex: '^(?!#).*'
|
||||
BIN
envs/common.env
BIN
envs/common.env
Binary file not shown.
BIN
envs/prod.env
BIN
envs/prod.env
Binary file not shown.
BIN
envs/staging.env
BIN
envs/staging.env
Binary file not shown.
Reference in New Issue
Block a user