name: CI/CD on: push: branches: [master] pull_request: branches: [master] workflow_dispatch: # allows triggering via Forgejo API (/deploy bot command) jobs: # ── Syntax check (every PR + push) ───────────────────────────────────────── syntax-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install ansible run: pip3 install ansible --quiet --break-system-packages - name: Install collections run: | ansible-galaxy collection install \ community.general community.docker ansible.posix --force - name: Write vault password run: | echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file chmod 600 ~/.vault-password-file - name: Syntax check — main run: ansible-playbook playbooks/deploy.yml --syntax-check - name: Syntax check — tools run: ansible-playbook playbooks/tools.yml --syntax-check # ── Deploy (push to master only, after syntax-check passes) ──────────────── deploy: needs: syntax-check if: github.ref == 'refs/heads/master' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install dependencies run: | pip3 install ansible --quiet --break-system-packages ansible-galaxy collection install \ ansible.posix community.general community.docker --force - name: Configure SSH run: | mkdir -p ~/.ssh printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 # Scan host keys directly (no need for SSH_KNOWN_HOSTS secret) ssh-keyscan -p 22 87.249.49.32 >> ~/.ssh/known_hosts ssh-keyscan -p 22 85.193.83.9 >> ~/.ssh/known_hosts chmod 600 ~/.ssh/known_hosts - name: Write vault password run: | echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file chmod 600 ~/.vault-password-file - name: Deploy main server run: ansible-playbook playbooks/deploy.yml -l main - name: Deploy tools server run: ansible-playbook playbooks/tools.yml -l tools