I’m currently stuck with a pretty stupid problem and can’t seem to find a solution, so I thought about asking here.
What I want to do:
I have a webproject set up on Github (currently private repo) and running on my webserver to serve it. So far so good. Only problem now is, that I have to manually SSH into my server and run a script to pull the changes and restart the application whenever I make changes to the project - which is simply annoying after a few times.
So what I basically want is a way to trigger this script whenever a push/merge action on the master branch happens. I found many solutions, but all of them require me to setup a repository on the webserver and add it as a remote to my client, which is not what I want. I want to be able to trigger this from Github.
Can anyone give me advice on how to do this? Maybe with Github Actions or something similar?
Mayebe you can try install a self-hosted runner on your remote server, then use this runner to run the workflows on your GitHub repository. In this way, you can directly checkout your GitHub repository onto the server, build the project, and you can copy the source code into any directory on the server.
If you do not want to install the self-hosted runner, what server are you using? You can try to search if there are published CLI for the server, and use the related commnds to push the source code onto the server. And you also can search in the GitHub marketplace to see if have published action to do this for your server.
my server is a Debian 10 VPS running the node application (the project) and nginx as a proxy.
Could you maybe recomment me something from the marketplace to check out? Because honestly I’m just overwhelmed by the amount of stuff there
Also about self-hosted runnsers, Github states the following on the Help-page:
Github Help wrote:
We recommend that you do not use self-hosted runners with public repositories.
Forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.
Would there be a way to restrict the runner to the original repo, so no fork can execute code on my server? This would be important for me, since I want to make it public once the basic structure is working fine
I searched and did find availale actions for the server with Debian OS. Looks like the self-hosted runner ia the best way for your request.
About the security on the self-hosted runner machine, if you want the workflow do not run when the commits are merged from the forks via PR, you can try the follow workaround:
Check the properties of github context: use the property github.event.pull_request.head.repo.full_name to get the name of the head repository (source repository) of the PR; use the property github.event.pull_request.base.repo.full_name to get the name of the base repository (target repository) of the PR.
If the the PR is merged from a branch from another branch in the same repository, the value of these two properties is same. If they are different, that means the merge is from a different repository.
For example: my base repository is BrightRan/TestClock , and the fork repository is ForksForTest/TestClock, PR merge from master branch of ForksForTest/TestClock to master branch of BrightRan/TestClock.
github.event.pull_request.base.repo.full_name = BrightRan/TestClock
github.event.pull_request.base.label = BrightRan:master
github.event.pull_request.head.repo.full_name = ForksForTest/TestClock
github.event.pull_request.head.label = ForksForTest:master
- You can add a if conditional for each job of the workflow that runs on the pull_request event in your original repository, use this if conditional to check if the merge is from another repository, if so, skip all the jobs in the workflow.
Hope this can help you.
Thanks a lot, I’ll take a shot at this when I find some time
As I mentioned in my previous reply that using the properties of github context github.event.pull_request.head.repo.full_name and github.event.pull_request.base.repo.full_name to check if the merge is from different repository, and then according it to skip jobs in the workflow.
Have you tried this workaround? Is it helpful to you? Any progress, please feel free to tell us.
No, I didn’t find time to test it yet. I’ll let you know asap!