titaniumtown/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

deploy guard: fix actions
Some checks failed
Build and Deploy / mreow (push) Successful in 2m8s
Details
Build and Deploy / yarn (push) Successful in 1m2s
Details
Build and Deploy / muffin (push) Failing after 27s
Details

Browse Source
This commit is contained in:
Simon Gardling
2026-04-22 01:18:09 -04:00
parent aef99e7365
commit b0b4bcb0b3
4 changed files with 37 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
deploy.sh
View File

@@ -6,8 +6,8 @@
# ./deploy.sh switch # apply immediately on current host
# ./deploy.sh test # apply without adding boot entry
# ./deploy.sh build # build only, no activation
# ./deploy.sh muffin # build + deploy to muffin via deploy-rs
# ./deploy.sh muffin --force # bypass the deploy guard (active-user check)
# ./deploy.sh muffin # preflight deploy guard + deploy-rs to muffin
# ./deploy.sh muffin --force # skip the preflight deploy guard
#
# muffin cannot be rebuilt locally from another host — this script only issues
# the remote deploy via deploy-rs when explicitly named.
@@ -28,27 +28,26 @@ case "$arg" in
if [ "${1:-}" = "--force" ]; then force=1; shift; fi
if [ "$force" = "1" ]; then
echo "deploy-guard: bypass requested; setting remote marker"
ssh -o BatchMode=yes -o ConnectTimeout=3 root@server-public \
'touch /run/deploy-guard-bypass' \
|| echo "deploy-guard: warning: could not write remote bypass marker" >&2
echo "deploy-guard: preflight skipped (--force)"
else
# Single SSH probe — if exit 255 it's a connectivity failure (skip
# preflight; the activation-time guard still enforces). Any other
# non-zero is the guard blocking the deploy.
# Single SSH probe. Exit 255 is a connectivity failure; treat as a hard
# abort — without the preflight there is no other gate that prevents
# deploy-rs from partially activating while users are online.
output=$(ssh -o BatchMode=yes -o ConnectTimeout=5 \
root@server-public deploy-guard-check 2>&1) && rc=0 || rc=$?
if [ "$rc" -eq 255 ]; then
echo "deploy-guard: muffin unreachable for preflight;" \
"activation will still enforce" >&2
elif [ "$rc" -ne 0 ]; then
if [ "$rc" -eq 0 ]; then
[ -n "$output" ] && printf '%s\n' "$output"
elif [ "$rc" -eq 255 ]; then
echo "deploy-guard: preflight SSH failed (rc=255)." >&2
printf '%s\n' "$output" >&2
echo "Re-run with --force once you've confirmed the host is idle." >&2
exit 1
else
printf '%s\n' "$output"
echo >&2
echo "Blocked by deploy guard. Bypass: ./deploy.sh muffin --force" >&2
exit 1
elif [ -n "$output" ]; then
printf '%s\n' "$output"
fi
fi