Add reusable workflow for setting up SSH agent

.github/actions/ssh/action.yml

@@ -0,0 +1,42 @@
+name: SSH setup
+description: Set up the SSH agent
+
+inputs:
+  config:
+    description: The SSH configuration
+    required: true
+  key:
+    description: The private SSH key
+    required: true
+  known-hosts:
+    description: The list of known hosts
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Configure SSH
+      shell: sh
+      env:
+        CONFIG: ${{ inputs.config }}
+        KNOWN_HOSTS: ${{ inputs.known-hosts }}
+      run: |
+        mkdir -p ~/.ssh
+        echo "${CONFIG}" > ~/.ssh/config
+        echo "${KNOWN_HOSTS}" > ~/.ssh/known_hosts
+
+    - name: Start SSH agent
+      shell: bash
+      env:
+        SOCKET: /tmp/ssh-agent.sock
+      run: |
+        echo "SSH_AUTH_SOCK=${SOCKET}" >> $GITHUB_ENV
+        ssh-agent -a ${SOCKET} > /dev/null
+
+    - name: Add SSH key
+      shell: bash
+      env:
+        KEY: ${{ inputs.key }}
+      run: |
+        ssh-add - <<< "${KEY}"

.github/workflows/stage.yml

@@ -1,10 +1,6 @@
 name: Deploy (Staging)
 
-on:
-  workflow_dispatch
-
-env:
-  SSH_AUTH_SOCK: /tmp/ssh-agent.sock
+on: workflow_dispatch
 
 jobs:
   stage:
@@ -17,6 +13,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Set up SSH agent
+        uses: ./.github/actions/ssh
+        with:
+          config: ${{ vars.SSH_CONFIG }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          known-hosts: ${{ vars.SSH_KNOWN_HOSTS }}
+
       - name: Set up Java
         uses: actions/setup-java@v4
         with:
@@ -29,22 +32,17 @@ jobs:
       - name: Build with Gradle
         run: ./gradlew installDist
 
-      - name: Set up SSH agent
-        run: |
-          ssh-agent -a $SSH_AUTH_SOCK > /dev/null
-          ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"
-          mkdir -p ~/.ssh
-          echo '${{ vars.SSH_CONFIG }}' > ~/.ssh/config
-          echo '${{ vars.KNOWN_HOSTS }}' > ~/.ssh/known_hosts
-
       - name: Publish to staging server
         run: |
-          rsync build/install/helma/ antville.dev:/ \
+          rsync ./build/install/helma/ antville.dev:./ \
             --verbose --archive --delete --compress \
-            --filter 'protect /lib/ext' \
+            --filter '+ /bin' \
+            --filter '+ /extras' \
             --filter '+ /launcher.jar' \
+            --filter '- /lib/ext' \
             --filter '+ /lib' \
-            --filter '- /*' \
+            --filter '+ /modules' \
+            --filter '- /*'
 
       - name: Restart Helma
         run: ssh antville.dev restart

src/dist/extras/deploy.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+
+# Use this script as forced command of an authorized SSH key:
+# command="/home/helma/extras/deploy.sh" ssh-ed25519 AAAAC3NzaC…
+
+case "$SSH_ORIGINAL_COMMAND" in
+  ping)
+    echo pong
+    ;;
+
+  deploy-helma)
+    rsync ./ p3k.org:./ \
+      --archive --compress --delete --verbose \
+      --filter '+ /bin' \
+      --filter '+ /extras' \
+      --filter '+ /launcher.jar' \
+      --filter '- /lib/ext' \
+      --filter '+ /lib' \
+      --filter '+ /modules' \
+      --filter '- /*'
+    ;;
+
+  deploy-antville)
+    rsync ./apps/antville/ p3k.org:./apps/antville/ \
+      --archive --compress --delete --verbose \
+      --filter '+ /claustra' \
+      --filter '+ /code' \
+      --filter '+ /compat' \
+      --filter '+ /i18n' \
+      --filter '+ /lib' \
+      --filter '- /*'
+    rsync ./apps/antville/static/helma/ p3k.org:/var/www/weblogs.at/ \
+      --archive --compress --verbose \
+      --filter '+ /fonts' \
+      --filter '+ /formica.html' \
+      --filter '+ /img' \
+      --filter '+ /scripts' \
+      --filter '+ /styles' \
+      --filter '- /*'
+    ;;
+
+  restart)
+    printf 'Restarting Helma… '
+    sudo /bin/systemctl restart helma
+    printf '%s\n' 'done.'
+    ;;
+
+  *)
+    # Allow any rsync command but restrict it to the installation directory
+    rrsync -wo /home/helma
+    ;;
+esac