Maxsibilla/actions node24

.github/scripts/update-security-group.mjs

@@ -0,0 +1,62 @@
+import {
+  EC2Client,
+  AuthorizeSecurityGroupIngressCommand,
+  RevokeSecurityGroupIngressCommand
+} from "@aws-sdk/client-ec2";
+
+const {
+  AWS_REGION,
+  SECURITY_GROUP_ID,
+  PORT,
+  RUNNER_IP,
+  MODE
+} = process.env;
+
+if (!AWS_REGION || !SECURITY_GROUP_ID || !PORT || !RUNNER_IP || !MODE) {
+  throw new Error("Missing required environment variables");
+}
+
+const cidr = `${RUNNER_IP}/32`;
+const port = Number(PORT);
+
+const client = new EC2Client({ region: AWS_REGION });
+
+const params = {
+  GroupId: SECURITY_GROUP_ID,
+  IpPermissions: [
+    {
+      IpProtocol: "tcp",
+      FromPort: port,
+      ToPort: port,
+      IpRanges: [
+        {
+          CidrIp: cidr,
+          Description: "GitHub Actions runner (temporary)"
+        }
+      ]
+    }
+  ]
+};
+
+try {
+  if (MODE === "authorize") {
+    console.log(`🔓 Authorizing ${cidr} on port ${port}`);
+    await client.send(new AuthorizeSecurityGroupIngressCommand(params));
+    console.log("✅ Runner IP added");
+  } else if (MODE === "revoke") {
+    console.log(`🔐 Revoking ${cidr} on port ${port}`);
+    await client.send(new RevokeSecurityGroupIngressCommand(params));
+    console.log("✅ Runner IP removed");
+  } else {
+    throw new Error(`Invalid MODE: ${MODE}`);
+  }
+} catch (error) {
+  if (error.name === "InvalidPermission.Duplicate") {
+    console.log("ℹ️ Rule already exists");
+  } else if (error.name === "InvalidPermission.NotFound") {
+    console.log("ℹ️ Rule already removed");
+  } else {
+    console.error("❌ AWS SG operation failed");
+    throw error;
+  }
+}

.github/workflows/build-and-deploy-dev.yml

@@ -10,13 +10,13 @@ permissions:
 
 jobs:
   build-and-push:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
@@ -48,15 +48,30 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-and-push
     steps:
-      - name: Whitelist GitHub Actions IP
-        uses: bbharathkumarreddy/aws-whitelist-ip@v1.0
-        with:
-          security-group-id: sg-0ddfcbe0a83a5266c
-          action: whitelist
-          port: 22
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Get GitHub runner public IP
+        id: runner_ip
+        run: |
+          IP=$(curl -s https://api.ipify.org)
+          echo "Runner IP: $IP"
+          echo "ip=$IP" >> $GITHUB_OUTPUT
+
+      - name: Install dependencies
+        run: npm install @aws-sdk/client-ec2
+
+      - name: Modify security group
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION:  us-east-1
+          SECURITY_GROUP_ID: sg-0ddfcbe0a83a5266c
+          PORT: 22
+          RUNNER_IP: ${{ steps.runner_ip.outputs.ip }}
+          MODE: authorize
+        run: node $GITHUB_WORKSPACE/.github/scripts/update-security-group.mjs
+
       - name: Deploy to Server via SSH
         uses: appleboy/ssh-action@v1
         with:
@@ -67,13 +82,15 @@ jobs:
           script: |
             # Change to codcc user on server
             sudo su - codcc -c "cd /opt/sennet/entity-api/docker/; git pull; docker pull sennet/entity-api-dev:latest; ./docker-development.sh down; ./docker-development.sh start;"
-      - name: Remove GitHub Actions IP
-        uses: bbharathkumarreddy/aws-whitelist-ip@v1.0
+
+      - name: Remove runner IP from security group
         if: always()
-        with:
-          security-group-id: sg-0ddfcbe0a83a5266c
-          action: remove
-          port: 22
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION:  us-east-1
+          SECURITY_GROUP_ID: sg-0ddfcbe0a83a5266c
+          PORT: 22
+          RUNNER_IP: ${{ steps.runner_ip.outputs.ip }}
+          MODE: revoke
+        run: node $GITHUB_WORKSPACE/.github/scripts/update-security-group.mjs