This GitHub action opens and closes a port for a specific IP(range) in a Hetzner Cloud firewall. This allows access to "internal" resources for the current github runner.
By default the opened port is automatically being closed in a post script running after any main:
steps.
The Rules are uniquely named like "Doorkeeper Rule - Repository REPOSITORY
- Workflow: WORKFLOW
/RUN_NUMBER
/RUN_ATTEMPT
" so not to disturb existing rules and to allow multiple workflows to run simultaneously.
- Requires a github runner with docker capabilities
- A valid hcloud token and an existing hcloud firewall are required
- If the IP address is to be determined dynamically, a connection to ifconfig.me is required
Input | Required | Default | Description |
---|---|---|---|
hcloud_token |
True | Hetzner Cloud token to access the Firewall | |
firewall_name |
True | Name of firewall to configure | |
ip |
False | current runner IP* | Which IP(range) to allow access; in CIDR notation |
port |
False | 22 | Port to open |
protocol |
False | tcp | Protocol for the aboce port. Either tcp or udp |
autoclean |
False | True | Automatically clean up the opened port after the workflow finishes |
*) as determined by a call to http://ifconfig.me/ip
name: Example
on:
push:
branches: [ master ]
jobs:
myjob:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: 5nafu/hcloud-doorkeeper-action@v1
with:
hcloud_token: ${{ secrets.hcloud_token }}
firewall_name: MyFirewall
ip: 10.1.0.0/16
port: 1234
protocol: tcp
autoclean: false
# Your own steps... for example
- run: sleep 30s
shell: bash
name: Example
on:
push:
branches: [ master ]
jobs:
myjob:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: 5nafu/hcloud-doorkeeper-action@v1
with:
hcloud_token: ${{ secrets.hcloud_token }}
firewall_name: MyFirewall
port: 443
protocol: tcp
# Your own steps... for example
- run: sleep 30s
shell: bash
- a copy of this source code
- a running docker daemon
- a Hetzner cloud account with API token (read/write!) and an (empty) firewall
Find the main and post action scripts in the scripts
directory;
The install.sh
script in the same diretory is used to install wget, the hcloud cli and the post script into the container image. You can modify other internals of the image in the Dockerfile
.
Please consult the action.yml
for modifications of input variables or other meta and control information.
You can then build the image with
# From the git root diretory
$ docker build -t hcloud-doorkeeper .
- Update the
env.example
file to your desireโ ๏ธ To prevent accidental token leakage, the API token should not be added to the environment file, but be declared on the commandline. - Run the main action to create a firewall rule
docker run --rm -it --env-file env.example --env HCLOUD_TOKEN=YOURTOKEN hcloud-doorkeeper
- Run the post action to delete the rule
docker run --rm -it --env-file env.example --env HCLOUD_TOKEN=YOURTOKEN --entrypoint delete.sh hcloud-doorkeeper
- To start an interactive shell, use
docker run --rm -it --entrypoint bash hcloud-doorkeeper