aaronrene / knowtation public
canister-export-backup.yml yaml
58 lines 3.2 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 2 days ago
1 # Scheduled HTTP logical export: one X-User-Id vault partition → JSON (not full ICP canister snapshots).
2 # Full canister backup: docs/ICP-CANISTER-SNAPSHOT-RUNBOOK.md + npm run canister:snapshot-backup (controller, dfx).
3 # Secrets: scripts/canister-export-backup.mjs + .env.example (canister backup env).
4 #
5 # Repository **Secrets** → `${{ secrets.* }}`. Repository **Variables** → `${{ vars.* }}` — they are not interchangeable.
6 # This workflow uses `secrets.X || vars.X` so either tab works. Prefer **Secrets** for USER_ID / encrypt key / AWS (less exposure in UI).
7 name: Scheduled HTTP vault export (operator)
8
9 on:
10 schedule:
11 # 07:00 UTC daily — adjust cron if you prefer another window
12 - cron: '0 7 * * *'
13 workflow_dispatch:
14
15 permissions:
16 contents: read
17
18 jobs:
19 export:
20 runs-on: ubuntu-latest
21 steps:
22 - uses: actions/checkout@v4
23
24 - name: Install dependencies
25 run: npm ci
26
27 # Missing secrets expand to empty env vars — the script only prints a generic exit 1. Fail here with an annotation.
28 - name: Verify required backup secret
29 env:
30 KNOWTATION_CANISTER_BACKUP_USER_ID: ${{ secrets.KNOWTATION_CANISTER_BACKUP_USER_ID || vars.KNOWTATION_CANISTER_BACKUP_USER_ID }}
31 run: |
32 if [ -z "$KNOWTATION_CANISTER_BACKUP_USER_ID" ]; then
33 echo "::error::KNOWTATION_CANISTER_BACKUP_USER_ID is unset. Under Settings - Secrets and variables - Actions, add Repository secrets or Repository variables with this exact name (Variables do not fill secrets.*; this workflow reads secrets or vars). See scripts/canister-export-backup.mjs header."
34 exit 1
35 fi
36 echo "KNOWTATION_CANISTER_BACKUP_USER_ID is set (value not shown)."
37
38 - name: Export canister vault(s)
39 env:
40 KNOWTATION_CANISTER_BACKUP_URL: ${{ secrets.KNOWTATION_CANISTER_BACKUP_URL || vars.KNOWTATION_CANISTER_BACKUP_URL }}
41 KNOWTATION_CANISTER_BACKUP_USER_ID: ${{ secrets.KNOWTATION_CANISTER_BACKUP_USER_ID || vars.KNOWTATION_CANISTER_BACKUP_USER_ID }}
42 KNOWTATION_CANISTER_BACKUP_VAULT_IDS: ${{ secrets.KNOWTATION_CANISTER_BACKUP_VAULT_IDS || vars.KNOWTATION_CANISTER_BACKUP_VAULT_IDS }}
43 KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX: ${{ secrets.KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX || vars.KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX }}
44 KNOWTATION_CANISTER_BACKUP_S3_BUCKET: ${{ secrets.KNOWTATION_CANISTER_BACKUP_S3_BUCKET || vars.KNOWTATION_CANISTER_BACKUP_S3_BUCKET }}
45 KNOWTATION_CANISTER_BACKUP_S3_PREFIX: ${{ secrets.KNOWTATION_CANISTER_BACKUP_S3_PREFIX || vars.KNOWTATION_CANISTER_BACKUP_S3_PREFIX }}
46 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID || vars.AWS_ACCESS_KEY_ID }}
47 AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY || vars.AWS_SECRET_ACCESS_KEY }}
48 AWS_REGION: ${{ secrets.AWS_REGION || vars.AWS_REGION }}
49 run: node scripts/canister-export-backup.mjs
50
51 - name: Upload backup artifacts
52 if: success()
53 uses: actions/upload-artifact@v4
54 with:
55 name: canister-export-${{ github.run_id }}
56 path: backups/canister-export-*
57 retention-days: 90
58 if-no-files-found: error
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 2 days ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 2 days ago