Avoid including secrets in the built image

object-Object · May 7, 2024 · 41013a4 · 41013a4
1 parent 04fdd9f
commit 41013a4
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 24 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -127,6 +127,7 @@ jobs:
       packages: write
     environment:
       name: prod-docker
+      url: https://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -135,15 +136,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # https://stackoverflow.com/a/59797984
-      # - name: Add Docker APT repository
-      #   run: sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu  $(lsb_release -cs)  stable"
-
-      # - name: Install latest Docker version
-      #   uses: awalsh128/cache-apt-pkgs-action@v1
-      #   with:
-      #     packages: docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -157,17 +149,6 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      - name: Set runtime environment variables
-        run: |
-          cat <<EOF > .env
-          TOKEN="${{ secrets.DISCORD_TOKEN }}"
-          LOG_WEBHOOK_URL="${{ secrets.LOG_WEBHOOK_URL }}"
-          HEALTH_CHECK_CHANNEL_ID="${{ env.HEALTH_CHECK_CHANNEL_ID }}"
-          GITHUB_SHA=main
-          GITHUB_REPOSITORY=object-Object/HexBug
-          GITHUB_PAGES_URL=https://object-object.github.io/HexBug
-          EOF
-
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@v5

diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 COPY .git/ .git/
 COPY scripts/bot/ scripts/bot/
 COPY src/HexBug/ src/HexBug/
-COPY main.py .env ./
+COPY main.py ./
 
 CMD ["python", "main.py"]
 

diff --git a/codedeploy/compose.override.yml b/codedeploy/compose.override.yml
@@ -1,7 +1,7 @@
 # production overrides for compose.yml
 services:
   bot:
-    image: ghcr.io/object-Object/HexBug:${IMAGE_VERSION}
+    image: ghcr.io/object-object/hexbug:${IMAGE_VERSION}
     volumes:
       - type: bind
         source: /home/object/codedeploy

diff --git a/codedeploy/hooks/application-start.sh b/codedeploy/hooks/application-start.sh
@@ -3,8 +3,7 @@ set -euox pipefail
 
 cd /var/lib/codedeploy-apps/HexBug
 
-# shellcheck disable=SC1091
-source image_version
+docker login ghcr.io --username object-Object --password-stdin < /var/lib/codedeploy-apps/.cr_pat
 
 if ! docker compose up --detach --wait --wait-timeout 120 ; then
     docker compose logs

diff --git a/compose.yml b/compose.yml
@@ -5,5 +5,11 @@ services:
       - data:/app/bot/data
     environment:
       AWS_REGION: us-east-1
+    secrets:
+      - source: env
+        target: /app/bot/.env
 volumes:
   data:
+secrets:
+  env:
+    file: .env