ai-workspace-lab/openclaw-multi-session-plugins
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8aaae6a8db
openclaw-multi-session-plugins/.github/workflows/deploy.yml
Haitao Pan 8aaae6a8db fix(ci): separate vault deploy secrets
2026-06-06 14:15:19 +08:00

260 lines
10 KiB
YAML
Raw Blame History

name: Deploy
env:
VAULT_ADDR: https://vault.svc.plus
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+"
release:
types:
- published
workflow_run:
workflows:
- Publish
types:
- completed
workflow_dispatch:
inputs:
version:
description: "Plugin version to install (e.g. 2026.6.1). Leave blank to use the release tag."
required: false
default: ""
force:
description: "Reinstall even if the same version is already installed."
required: false
default: "false"
type: choice
options:
- "false"
- "true"
concurrency:
group: openclaw-deploy
cancel-in-progress: false
permissions:
contents: read
id-token: write
jobs:
install-on-host:
name: Update plugin on ubuntu@openclaw.svc.plus
runs-on: ubuntu-latest
if: github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'release')
env:
SSH_HOST: ubuntu@openclaw.svc.plus
PLUGIN_NAME: openclaw-multi-session-plugins
steps:
- name: Checkout published source
if: github.event_name == 'workflow_run'
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name: Load Vault secrets
id: vault
uses: hashicorp/vault-action@v2
with:
url: ${{ env.VAULT_ADDR }}
method: jwt
role: github-actions-openclaw-multi-session-plugins
jwtGithubAudience: vault
secrets: |
kv/data/github-actions/openclaw-multi-session-plugins OPENCLAW_SSH_KEY | OPENCLAW_SSH_KEY ;
kv/data/github-actions/openclaw-multi-session-plugins OPENCLAW_SSH_KEY_B64 | OPENCLAW_SSH_KEY_B64 ;
kv/data/github-actions/openclaw-multi-session-plugins SINGLE_NODE_VPS_SSH_PRIVATE_KEY | SINGLE_NODE_VPS_SSH_PRIVATE_KEY ;
kv/data/github-actions/openclaw-multi-session-plugins SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 | SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64
- name: Resolve target version
id: version
run: |
set -euo pipefail
if [ -n "${{ inputs.version }}" ]; then
value="${{ inputs.version }}"
elif [ "${{ github.event_name }}" = "workflow_run" ]; then
if [ ! -f package.json ]; then
echo "::error::package.json not found after checking out workflow_run source"
exit 1
fi
value="$(node -p "require('./package.json').version")"
else
ref="${GITHUB_REF_NAME:-}"
value="${ref}"
fi
value="${value##*/}"
value="${value#v}"
if ! [[ "${value}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Resolved value '${value}' is not a valid X.Y.Z version"
exit 1
fi
if [ -z "${value}" ]; then
echo "::error::Could not resolve plugin version from inputs or GITHUB_REF_NAME"
exit 1
fi
echo "value=${value}" >> "$GITHUB_OUTPUT"
echo "Resolved plugin version: ${value}"
- name: Resolve install source
id: install
env:
VERSION: ${{ steps.version.outputs.value }}
run: |
set -euo pipefail
PACKAGE="${PLUGIN_NAME}@${VERSION}"
if npm view "${PACKAGE}" version >/dev/null 2>&1; then
PUBLISHED="$(npm view "${PACKAGE}" version)"
echo "::notice::${PLUGIN_NAME}@${PUBLISHED} is available on npm"
echo "source=npm" >> "$GITHUB_OUTPUT"
echo "install_spec=${PACKAGE}" >> "$GITHUB_OUTPUT"
else
if [ "${{ github.event_name }}" = "workflow_run" ]; then
ref="${{ github.event.workflow_run.head_sha }}"
else
ref="${GITHUB_REF_NAME:-release/v${VERSION}}"
fi
install_spec="git+${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git#${ref}"
echo "::warning::${PACKAGE} is not published to npm yet; installing from ${install_spec}"
echo "source=github" >> "$GITHUB_OUTPUT"
echo "install_spec=${install_spec}" >> "$GITHUB_OUTPUT"
fi
- name: Configure SSH key
env:
OPENCLAW_SSH_KEY: ${{ steps.vault.outputs.OPENCLAW_SSH_KEY }}
OPENCLAW_SSH_KEY_B64: ${{ steps.vault.outputs.OPENCLAW_SSH_KEY_B64 }}
SINGLE_NODE_VPS_SSH_PRIVATE_KEY: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY }}
SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 }}
run: |
set -euo pipefail
SSH_KEY=""
if [ -n "${OPENCLAW_SSH_KEY_B64:-}" ]; then
SSH_KEY="$(printf '%s' "${OPENCLAW_SSH_KEY_B64}" | base64 -d)"
elif [ -n "${OPENCLAW_SSH_KEY:-}" ]; then
SSH_KEY="${OPENCLAW_SSH_KEY}"
fi
if [ -z "${SSH_KEY}" ] && [ -n "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64:-}" ]; then
SSH_KEY="$(printf '%s' "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64}" | base64 -d)"
elif [ -z "${SSH_KEY}" ] && [ -n "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY:-}" ]; then
SSH_KEY="${SINGLE_NODE_VPS_SSH_PRIVATE_KEY}"
fi
if [ -z "${SSH_KEY}" ]; then
echo "::error::Neither OPENCLAW_SSH_KEY nor SINGLE_NODE_VPS_SSH_PRIVATE_KEY is set."
exit 1
fi
install -m 700 -d ~/.ssh
printf '%s\n' "${SSH_KEY}" > ~/.ssh/openclaw_ed25519
chmod 600 ~/.ssh/openclaw_ed25519
ssh-keyscan -H openclaw.svc.plus >> ~/.ssh/known_hosts 2>/dev/null || true
- name: Verify SSH connectivity
run: |
ssh -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes -o ConnectTimeout=10 \
"${SSH_HOST}" 'echo "connected to $(hostname) as $(whoami)"'
- name: Install or update plugin on remote host
env:
VERSION: ${{ steps.version.outputs.value }}
INSTALL_SPEC: ${{ steps.install.outputs.install_spec }}
INSTALL_SOURCE: ${{ steps.install.outputs.source }}
FORCE: ${{ inputs.force || 'false' }}
run: |
ssh -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes -o ServerAliveInterval=30 \
"${SSH_HOST}" bash -s -- "${PLUGIN_NAME}" "${VERSION}" "${INSTALL_SPEC}" "${INSTALL_SOURCE}" "${FORCE}" <<'REMOTE'
set -euo pipefail
PLUGIN_NAME="$1"
VERSION="$2"
INSTALL_SPEC="$3"
INSTALL_SOURCE="$4"
FORCE="$5"
PACKAGE="${PLUGIN_NAME}@${VERSION}"
STATE_DIR="/tmp/openclaw-deploy"
mkdir -p "${STATE_DIR}"
echo "==> Installing ${PACKAGE} from ${INSTALL_SOURCE} on $(hostname) (force=${FORCE})"
echo "==> Install spec: ${INSTALL_SPEC}"
# Record the previously installed version for rollback.
PREVIOUS_VERSION=""
if command -v openclaw >/dev/null 2>&1; then
PREVIOUS_VERSION="$(npm ls -g "${PLUGIN_NAME}" --depth=0 2>/dev/null \
| awk -F'[@:]' '/'"${PLUGIN_NAME}"'@/ {print $2; exit}' || true)"
fi
echo "==> Previously installed version: ${PREVIOUS_VERSION:-<none>}"
# Skip when the requested version is already present unless forced.
if [ "${FORCE}" != "true" ] && [ "${PREVIOUS_VERSION}" = "${VERSION}" ]; then
echo "==> ${PACKAGE} already installed and force=false; nothing to do"
exit 0
fi
printf '%s\n' "${PREVIOUS_VERSION}" > "${STATE_DIR}/previous-version"
rollback() {
local rc=$?
echo "::remote-error::Install failed (exit ${rc}); attempting rollback"
local prev
prev="$(cat "${STATE_DIR}/previous-version" 2>/dev/null || true)"
if [ -n "${prev}" ] && [ "${prev}" != "${VERSION}" ]; then
echo "::remote-warning::Reinstalling ${PLUGIN_NAME}@${prev}"
npm install -g "${PLUGIN_NAME}@${prev}" || true
if command -v openclaw >/dev/null 2>&1; then
openclaw plugins enable "${PLUGIN_NAME}" || true
fi
else
echo "::remote-warning::No previous version recorded; leaving host as-is"
fi
exit "${rc}"
}
trap rollback ERR
install_plugin() {
if command -v openclaw >/dev/null 2>&1; then
openclaw plugins install "${INSTALL_SPEC}" \
|| openclaw plugins update "${INSTALL_SPEC}" \
|| npm install -g "${INSTALL_SPEC}"
else
npm install -g "${INSTALL_SPEC}"
fi
}
install_plugin
if command -v openclaw >/dev/null 2>&1; then
openclaw plugins enable "${PLUGIN_NAME}" || true
fi
# Verify the installed version matches the requested version.
INSTALLED="$(npm ls -g "${PLUGIN_NAME}" --depth=0 2>/dev/null \
| awk -F'[@:]' '/'"${PLUGIN_NAME}"'@/ {print $2; exit}' || true)"
if [ "${INSTALLED}" != "${VERSION}" ]; then
echo "::remote-error::Verification failed: expected ${VERSION}, found ${INSTALLED:-<none>}"
exit 1
fi
trap - ERR
rm -f "${STATE_DIR}/previous-version"
echo "==> Installed plugin state:"
if command -v openclaw >/dev/null 2>&1; then
openclaw plugins info "${PLUGIN_NAME}" || true
fi
npm ls -g "${PLUGIN_NAME}" || true
echo "==> ${PACKAGE} is now active on $(hostname)"
REMOTE
- name: Summarize deploy
if: always()
env:
VERSION: ${{ steps.version.outputs.value }}
run: |
if [ "${{ job.status }}" = "success" ]; then
echo "::notice::openclaw-multi-session-plugins@${VERSION} deployed to ubuntu@openclaw.svc.plus"
else
echo "::error::Deploy to ubuntu@openclaw.svc.plus failed for openclaw-multi-session-plugins@${VERSION}"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink