0

I have a github workflow, that runs whenever a branch is merged to main:

jobs:
  deploy:
    name: Deploy to Production
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
      - name: SSH into server and deploy
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          script: |
            cd /var/www/html
            git reset --hard
            git fetch --all
            git pull

        if [ -n "$(git diff --name-only ${{ github.sha }} HEAD -- .docker docker-compose.yml)" ]; then
          docker-compose down
          docker-compose build
          docker-compose up -d
        fi

        docker exec ${{ secrets.CONTAINER_NAME }} composer install --no-dev
        docker exec ${{ secrets.CONTAINER_NAME }} php artisan migrate --force

The SSH_USERMANE is github_user. I keep getting this error when the run happens on the server:

err: bash: line 1: cd: /var/www/html: Permission denied

My permissions on that folder is 750, and the owner is www-data:www-data

I have added github_user to the www-data group, but I'm not sure what else I should do to have it be able to do all the steps I've listed.

What am I missing?

Bird87 ZA
  • 113
  • 1
  • 6

1 Answers1

0

I have added github_user to the www-data group

If you are still getting Permission denied when runnin cd /var/www/html then there is something strange going on - possible SELinux combined with a restricted user account for github_user. If SELinux is running here, check the audit logs.

It's more likely that you are still getting Permission denied - but when you start trying to write files with git - this account has not permissions to write to the tree. Try chmod -R 0770.

However:

  1. It is VERY bad practice to make your web content editable by the webserver user unless this a hard requirement of the software you are using (e.g. Wordpress). But even in such a case, write permissions should be selectively granted. A much better solution would be to chown -R github_user:www-data /var/www/html ; chmod -r 0750 /var/www/html

  2. It is bad practice to make your production server a git node.

symcbean
  • 23,767
  • 2
  • 38
  • 58