Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-20 23:48:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 109
fleet/.github/workflows/deploy-fleet-website.yml
Eric 4fd1efe98a
Website: Add API to send signed CSR emails (#8408) 
This pull request relies on the `mdm-gen-cert` command from
https://github.com/fleetdm/fleet/pull/8884.
Closes: https://github.com/fleetdm/fleet/issues/8223

Changes:
- Updated the deploy Fleet website workflow to:
   - Add Go as a dependency
   - Build the mdm-gen-cert binary in `/website/.tools/`
   - add the `/.tools/` folder to the Heroku app
- Added `deliver-apple-csr.js` -  an API that:
- can be called by making a `POST` request to
`/api/v1/deliver-apple-csr`
   - accepts `csr` as an input
- runs the `mdm-gen-cert` command with the `csr` set as an environment
variable
- returns an `invalidEmailDomain` response if the user's email domain is
in the array of banned email domains.
- saves the users organization and email address to the website's
database
- Sends an email to the requesting user's email address with the signed
CSR attached as a text file named `apple-apns-request.txt`
   - Posts a message to a channel in the Fleet Slack.
- Added a new model: `CertificateSigningRequests` that contains two
required attributes: `emailAddress` and `organization`
- Added a new email template `email-signed-csr-for-apns`
- Updated routes, policies, eslintrc, and rebuilt cloud-sdk


Before this can be merged, we will need to:
- [x] Add new config variables in Heroku
   - [x] `sails.config.custom.mdmVendorCertPem` 
   - [x] `sails.config.custom.mdmVendorKeyPem`
   - [x] `sails.config.custom.mdmVendorKeyPassphrase`
   - [x] `sails.config.custom.slackWebhookUrlForMDMSignups`
- [x] Add the `CertificateSigningRequests` model to the website's
database
2023-01-19 14:43:14 -06:00

111 lines
5 KiB
YAML
Raw Blame History

name: Deploy Fleet website
on:
push:
branches: [ main ]
paths:
- 'website/**'
- 'docs/**'
- 'handbook/**'
- 'articles/**'
- 'schema/**'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
build:
if: ${{ github.repository == 'fleetdm/fleet' }}
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
# Configure our access credentials for the Heroku CLI
- uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8
with:
heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}}
heroku_app_name: "" # this has to be blank or it doesn't work
heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}}
justlogin: true
- run: heroku auth:whoami
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
with:
node-version: ${{ matrix.node-version }}
# Install the right version of Go for the Golang child process that we are currently using for CSR signing
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
# Download top-level dependencies and build Storybook in the website's assets/ folder
- run: npm install && npm run build-storybook -- -o ./website/assets/storybook --loglevel verbose
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
# > i.e. the one used by the Fleet server. This is because require() in node will go
# > hunting in ancestral directories for missing dependencies, and since some of the
# > bundled transpiler tasks sniff for package availability using require(), this trips
# > up when it encounters another Node universe in the parent directory.
- run: rm -rf package.json package-lock.json node_modules/
# > Turns out there's a similar issue with how eslint plugins are looked up, so we
# > delete the top level .eslintrc file too.
- run: rm -f .eslintrc.js
# > And, as a change to the top-level fleetdm/fleet .gitignore on May 2, 2022 revealed,
# > we also need to delete the top level .gitignore file too, so that its rules don't
# > interfere with the committing and force-pushing we're doing as part of our deploy
# > script here. For more info, see: https://github.com/fleetdm/fleet/pull/5549
- run: rm -f .gitignore
# Download dependencies (including dev deps)
- run: cd website/ && npm install
# Run sanity checks
- run: cd website/ && npm test
# Compile browser assets & markdown content into generated collateral
- run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.GITHUB_TOKEN }}" npm run build-for-prod
# Build the go binary we use to sign APNS certificates in the website/.tools/ folder.
- run: cd ee/tools/mdm/ && GOOS=linux GOARCH=amd64 go build -o ../../../website/.tools/mdm-gen-cert .
# Commit newly-generated collateral locally so we can push them to Heroku below.
# (This commit will never be pushed to GitHub- only to Heroku.)
# > The local config flags make this work in GitHub's environment.
- run: git add website/.www
- run: git add website/.tools
- run: git add -f website/views/partials/built-from-markdown > /dev/null 2>&1 || echo '* * * WARNING - Silently ignoring the fact that there are no HTML partials generated from markdown to include in automated commit...'
- run: git -c "user.name=Fleetwood" -c "user.email=github@example.com" commit -am 'AUTOMATED COMMIT - Deployed the latest, including generated collateral such as compiled documentation, modified HTML layouts, and a .sailsrc file that references minified client-side code assets.'
# Configure the Heroku app we'll be deploying to
- run: heroku git:remote -a production-fleetdm-website
- run: git remote -v
# Deploy to Heroku (by pushing)
# > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
- run: echo "Unshallowing local repository…"
- run: git fetch --prune --unshallow
- run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
- run: git push heroku +${GITHUB_REF##*/}:master # note that Heroku, at least as of Jun 10 2021, still uses "master" on their end
- name: 🌐 https://fleetdm.com
run: echo '' && echo '--' && echo 'OK, done. It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)' && echo && echo ' 🌐–• https://fleetdm.com'
Reference in a new issue View git blame Copy permalink