alois/OpenFrontIO
1
0
Fork 0
mirror of https://github.com/openfrontio/OpenFrontIO.git synced 2026-06-21 15:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6afedd8fd2e8cfe97b4cd972e097f954b4ef5e76
OpenFrontIO/.github/workflows/deploy.yml
T
Evan 94205426e7 Move turnstile check to api (#3845) 
## Description

Re-enables Turnstile verification (was temporarily disabled in v31 to
diagnose intermittent `invalid-input-response` rejections) and moves the
verification call off the game servers.

Game servers no longer hold `TURNSTILE_SECRET_KEY` or hit
`challenges.cloudflare.com` directly. Instead they POST to
`${jwtIssuer}/turnstile` on the api-worker (authenticated with the
existing `apiKey`), which holds the secret and proxies to Cloudflare.
Shrinks blast radius and removes the secret from every game host + GH
Actions workflow.

Response from the api-worker is Zod-validated; null tokens short-circuit
to `rejected` locally.

## Please complete the following:

- [x] I have added screenshots for all UI updates (n/a — server only)
- [x] I process any text displayed to the user through translateText()
(n/a — no user-visible text)
- [ ] I have added relevant tests to the test directory
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced

## Discord:

evanpelle
2026-05-04 12:53:02 -06:00

200 lines
7.9 KiB
YAML
Raw Blame History

name: 🚀 Deploy
on:
# Allow contributors to schedule manual deployments.
# Permission to deploy can be restricted by requiring approval in environment configuration.
workflow_dispatch:
inputs:
target_domain:
description: "Deployment Domain"
required: true
default: "openfront.dev"
type: choice
options:
- openfront.io
- openfront.dev
target_host:
description: "Deployment Host"
required: true
default: "staging"
type: choice
options:
- masters
- staging
- falk2
target_subdomain:
description: "Deployment Subdomain"
required: false
default: ""
type: string
# Automatic deployment on push
# See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
push:
branches:
- "*"
# Nightly build: rebuild and deploy main to nightly.openfront.dev
# 07:00 UTC = 11:00 PM PST (midnight PDT during summer)
schedule:
- cron: "0 7 * * *"
permissions: {}
concurrency:
group: ${{ github.event_name == 'workflow_dispatch' && inputs.target_host || 'staging' }}
cancel-in-progress: false
jobs:
deploy:
# Deploy on push/schedule/workflow_dispatch (see "on:") unless this is a fork
if: ${{ github.repository == 'openfrontio/OpenFrontIO' }}
# Use different logic based on event type
name: Deploy to ${{ inputs.target_domain || 'openfront.dev' }}
runs-on: ubuntu-latest
timeout-minutes: 30
environment: ${{ inputs.target_domain == 'openfront.io' && 'prod' || '' }}
env:
DOMAIN: ${{ inputs.target_domain || 'openfront.dev' }}
SUBDOMAIN: ${{ github.event_name == 'schedule' && 'nightly' || github.event_name == 'push' && github.ref_name || inputs.target_subdomain || 'main' }}
steps:
- uses: actions/checkout@v6
- name: 📝 Update job summary
env:
FQDN: ${{ env.SUBDOMAIN && format('{0}.{1}', env.SUBDOMAIN, env.DOMAIN) || env.DOMAIN || 'openfront.dev' }}
run: |
echo "FQDN=$FQDN" >> $GITHUB_ENV
cat <<EOF >> $GITHUB_STEP_SUMMARY
### In progress :ship:
Deploying from $GITHUB_REF to $FQDN
EOF
- uses: actions/create-github-app-token@v3
id: generate-token
if: ${{ github.repository == 'openfrontio/OpenFrontIO' }}
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Export the token
if: ${{ github.repository == 'openfrontio/OpenFrontIO' }}
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
echo "GH_TOKEN=$GH_TOKEN" >> $GITHUB_ENV
gh api octocat
- name: 📝 Create deployment
if: ${{ github.repository == 'openfrontio/OpenFrontIO' && steps.generate-token.outputs.token != '' }}
uses: actions/github-script@v9
id: deployment
env:
ENVIRONMENT: ${{ inputs.target_domain == 'openfront.io' && 'prod' || 'staging' }}
FQDN: ${{ env.FQDN }}
with:
github-token: ${{ steps.generate-token.outputs.token }}
script: |
const response = await github.rest.repos.createDeployment({
owner: context.repo.owner,
repo: context.repo.repo,
ref: process.env.GITHUB_SHA,
environment: process.env.ENVIRONMENT,
description: 'Deployment to ' + process.env.FQDN,
auto_merge: false,
required_contexts: [],
transient_environment: process.env.ENVIRONMENT === 'staging' && context.ref !== 'refs/heads/main',
production_environment: process.env.ENVIRONMENT === 'prod'
});
const deployment = response.data;
if (!deployment || !deployment.id) {
core.setFailed('Failed to create deployment');
return;
}
core.setOutput('deployment_id', deployment.id);
- name: 🔗 Log in to GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ vars.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: 🔑 Create SSH private key
env:
SERVER_HOST_MASTERS: ${{ secrets.SERVER_HOST_MASTERS }}
SERVER_HOST_FALK2: ${{ secrets.SERVER_HOST_FALK2 }}
SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
run: |
set -euxo pipefail
mkdir -p ~/.ssh
echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
test -n "$SERVER_HOST_MASTERS" && ssh-keyscan -H "$SERVER_HOST_MASTERS" >> ~/.ssh/known_hosts
test -n "$SERVER_HOST_FALK2" && ssh-keyscan -H "$SERVER_HOST_FALK2" >> ~/.ssh/known_hosts
test -n "$SERVER_HOST_STAGING" && ssh-keyscan -H "$SERVER_HOST_STAGING" >> ~/.ssh/known_hosts
chmod 600 ~/.ssh/id_rsa
- name: 🚢 Deploy
env:
GHCR_REPO: ${{ vars.GHCR_REPO }}
GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
ENV: ${{ inputs.target_domain == 'openfront.io' && 'prod' || 'staging' }}
HOST: ${{ github.event_name == 'workflow_dispatch' && inputs.target_host || 'staging' }} # schedule and push both use staging
CDN_BASE: ${{ vars.CDN_BASE }}
OTEL_EXPORTER_OTLP_ENDPOINT: ${{ secrets.OTEL_EXPORTER_OTLP_ENDPOINT }}
OTEL_AUTH_HEADER: ${{ secrets.OTEL_AUTH_HEADER }}
API_KEY: ${{ secrets.API_KEY }}
SERVER_HOST_MASTERS: ${{ secrets.SERVER_HOST_MASTERS }}
SERVER_HOST_FALK2: ${{ secrets.SERVER_HOST_FALK2 }}
SERVER_HOST_STAGING: ${{ secrets.SERVER_HOST_STAGING }}
SSH_KEY: ~/.ssh/id_rsa
VERSION_TAG: latest
run: |
echo "::group::deploy.sh"
./build-deploy.sh "$ENV" "$HOST" "$SUBDOMAIN"
echo "Deployment created in ${SECONDS} seconds" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
- name: ⏳ Wait for deployment to start
env:
API_KEY: ${{ secrets.API_KEY }}
run: |
echo "::group::Wait for deployment to start"
set -euxo pipefail
while [ "$(curl -s -H "X-API-Key: ${API_KEY}" https://${FQDN}/commit.txt)" != "${GITHUB_SHA}" ]; do
if [ "$SECONDS" -ge 300 ]; then
echo "Timeout: deployment did not start within 5 minutes"
exit 1
fi
sleep 10
done
echo "Deployment started in ${SECONDS} seconds" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
- name: 🔄 Update deployment status
if: ${{ always() && github.repository == 'openfrontio/OpenFrontIO' && steps.generate-token.outputs.token != '' && steps.deployment.outcome == 'success' && steps.deployment.outputs.deployment_id != '' }}
uses: actions/github-script@v9
env:
FQDN: ${{ env.FQDN }}
DEPLOYMENT_ID: ${{ steps.deployment.outputs.deployment_id }}
STATUS: ${{ job.status }}
with:
github-token: ${{ steps.generate-token.outputs.token }}
script: |
await github.rest.repos.createDeploymentStatus({
owner: context.repo.owner,
repo: context.repo.repo,
deployment_id: process.env.DEPLOYMENT_ID,
state: process.env.STATUS === 'success' ? 'success' : 'failure',
environment_url: 'https://' + process.env.FQDN
});
- name: ✅ Update job summary
if: success()
run: |
cat <<EOF >> $GITHUB_STEP_SUMMARY
### Success! :rocket:
Deployed from $GITHUB_REF to $FQDN
EOF
- name: ❌ Update job summary
if: failure()
run: |
cat <<EOF >> $GITHUB_STEP_SUMMARY
### Failure! :fire:
Unable to deploy from $GITHUB_REF to $FQDN
EOF
Reference in New Issue View Git Blame Copy Permalink