我如何优化我的 gitlab-ci.yml 任何想法？

Question

我最近在 Gitlab 的项目中创建了一个标签后，我为自己创建了一个自动拉取的管道

但它有严重的安全问题，因为我在 Docker 镜像中使用 Echo 函数来导入我的私钥

和我的图像公钥

我的问题是

如何在变量中安全地从我的 Gitlab 配置文件中读取公钥和私钥？

## Author : RaminSubZero (0VERL0RD Corporation)

## PLEASE READ COMMENTS

## This CI Pulls Your Repository On Your Server With Some Statements

## This CI Triggers Only When You Make A Tag For Your Repo

## Start
image: trion/ng-cli-karma

## Setting Server Configuration For CI/CD Integration
## Config This Variables As You Need
## We Set This Stage Deploy 
deploy_stage:
  variables:
    SSH_PRIVATE_KEY_PATH : "/root/.ssh/id_rsa"
    SSH_PRIVATE_KEY : "-----BEGIN RSA PRIVATE KEY-----
    example
    -----END RSA PRIVATE KEY-----"
    SSH_PUBLIC_KEY : "ssh-rsa AAAAB3NzaC1yc2EAAAADAQAexample3v3P RaminSub-Zero@PC"
    SERVER: "example.com"
    USER: "root"
    PORT: "22"
    PROJECT_DIR: "public_html/"
    BRANCH: "master"
  ## This Git Pre Commands Save Your Local Changes To Server For Allowing Save Your Custom Files In Server
  ## You Can Set This Variables Empty If You Want
  ## For Setting This Variables Empty Replace This Lines With This Code
  ## GIT_PRESAVE_COMMAND: ""
  ## GIT_POSTSAVE_COMMAND: ""
  ## Start Saving Variables
    GIT_PRESAVE_COMMAND: "&& git stash"
    GIT_POSTSAVE_COMMAND: "&& git stash apply"
  ## End Saving Variables
    CUSTOM_COMMAND: "" 
    CUSTOM_COMMAND2: ""
  ## You Can Run Any Command In Your Server You Want | For Example (CUSTOM_COMMAND: "&& systemctl restart nginx")
  ## Note : You Have To Use && First Of Your Command
  
  # Here We Set Rule For Trigger This CI Per Tag Release
  rules:
   - if: '$CI_COMMIT_TAG != null'
  stage: deploy
  script:
  - apt-get update
  - apt-get update -y && apt-get install openssh-client -y
  - mkdir /root/.ssh
  - chmod 777 /root/.ssh 
  - touch /root/.ssh/id_rsa /root/.ssh/id_rsa.pub
  - echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa ; echo "$SSH_PUBLIC_KEY" > /root/.ssh/id_rsa.pub
  - chmod 600 /root/.ssh/id_rsa.pub
  - chmod 600 /root/.ssh/id_rsa
  - ssh -o "StrictHostKeyChecking no" -i $SSH_PRIVATE_KEY_PATH $USER@$SERVER -p $PORT "cd $PROJECT_DIR $GIT_PRESAVE_COMMAND && git pull origin $BRANCH $GIT_POSTSAVE_COMMAND $CUSTOM_COMMAND $CUSTOM_COMMAND2 && exit"
## In The End We Exit From Server To Finish Our Updating Session

## End

Answer 1

您应该从.gitlab-ci.yml删除带有私钥的变量并通过 UI 添加它： https : .gitlab-ci.yml . 这样它就不会被提交到存储库中。

至于 CI 日志，您应该将script:下的所有内容移动到单独的 *.sh 文件中 - 这样每一行就不会在日志中单独显示。