canister-export-backup.yml
yaml
sha256:8915fe406161f95c1681f9469375e7bae5b28c884f00bedbdef65e4b0cd0738d
docs(flow): commit FLOW-V0-SPEC.md hygiene for 7A-INT merge
Human
20 hours ago
| 1 | # Scheduled HTTP logical export: one X-User-Id vault partition → JSON (not full ICP canister snapshots). |
| 2 | # Full canister backup: docs/ICP-CANISTER-SNAPSHOT-RUNBOOK.md + npm run canister:snapshot-backup (controller, dfx). |
| 3 | # Secrets: scripts/canister-export-backup.mjs + .env.example (canister backup env). |
| 4 | # |
| 5 | # Repository **Secrets** → `${{ secrets.* }}`. Repository **Variables** → `${{ vars.* }}` — they are not interchangeable. |
| 6 | # This workflow uses `secrets.X || vars.X` so either tab works. Prefer **Secrets** for USER_ID / encrypt key / AWS (less exposure in UI). |
| 7 | name: Scheduled HTTP vault export (operator) |
| 8 | |
| 9 | on: |
| 10 | schedule: |
| 11 | # 07:00 UTC daily — adjust cron if you prefer another window |
| 12 | - cron: '0 7 * * *' |
| 13 | workflow_dispatch: |
| 14 | |
| 15 | permissions: |
| 16 | contents: read |
| 17 | |
| 18 | jobs: |
| 19 | export: |
| 20 | runs-on: ubuntu-latest |
| 21 | steps: |
| 22 | - uses: actions/checkout@v4 |
| 23 | |
| 24 | - name: Install dependencies |
| 25 | run: npm ci |
| 26 | |
| 27 | # Missing secrets expand to empty env vars — the script only prints a generic exit 1. Fail here with an annotation. |
| 28 | - name: Verify required backup secret |
| 29 | env: |
| 30 | KNOWTATION_CANISTER_BACKUP_USER_ID: ${{ secrets.KNOWTATION_CANISTER_BACKUP_USER_ID || vars.KNOWTATION_CANISTER_BACKUP_USER_ID }} |
| 31 | run: | |
| 32 | if [ -z "$KNOWTATION_CANISTER_BACKUP_USER_ID" ]; then |
| 33 | echo "::error::KNOWTATION_CANISTER_BACKUP_USER_ID is unset. Under Settings - Secrets and variables - Actions, add Repository secrets or Repository variables with this exact name (Variables do not fill secrets.*; this workflow reads secrets or vars). See scripts/canister-export-backup.mjs header." |
| 34 | exit 1 |
| 35 | fi |
| 36 | echo "KNOWTATION_CANISTER_BACKUP_USER_ID is set (value not shown)." |
| 37 | |
| 38 | - name: Export canister vault(s) |
| 39 | env: |
| 40 | KNOWTATION_CANISTER_BACKUP_URL: ${{ secrets.KNOWTATION_CANISTER_BACKUP_URL || vars.KNOWTATION_CANISTER_BACKUP_URL }} |
| 41 | KNOWTATION_CANISTER_BACKUP_USER_ID: ${{ secrets.KNOWTATION_CANISTER_BACKUP_USER_ID || vars.KNOWTATION_CANISTER_BACKUP_USER_ID }} |
| 42 | KNOWTATION_CANISTER_BACKUP_VAULT_IDS: ${{ secrets.KNOWTATION_CANISTER_BACKUP_VAULT_IDS || vars.KNOWTATION_CANISTER_BACKUP_VAULT_IDS }} |
| 43 | KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX: ${{ secrets.KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX || vars.KNOWTATION_CANISTER_BACKUP_ENCRYPT_KEY_HEX }} |
| 44 | KNOWTATION_CANISTER_BACKUP_S3_BUCKET: ${{ secrets.KNOWTATION_CANISTER_BACKUP_S3_BUCKET || vars.KNOWTATION_CANISTER_BACKUP_S3_BUCKET }} |
| 45 | KNOWTATION_CANISTER_BACKUP_S3_PREFIX: ${{ secrets.KNOWTATION_CANISTER_BACKUP_S3_PREFIX || vars.KNOWTATION_CANISTER_BACKUP_S3_PREFIX }} |
| 46 | AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID || vars.AWS_ACCESS_KEY_ID }} |
| 47 | AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY || vars.AWS_SECRET_ACCESS_KEY }} |
| 48 | AWS_REGION: ${{ secrets.AWS_REGION || vars.AWS_REGION }} |
| 49 | run: node scripts/canister-export-backup.mjs |
| 50 | |
| 51 | - name: Upload backup artifacts |
| 52 | if: success() |
| 53 | uses: actions/upload-artifact@v4 |
| 54 | with: |
| 55 | name: canister-export-${{ github.run_id }} |
| 56 | path: backups/canister-export-* |
| 57 | retention-days: 90 |
| 58 | if-no-files-found: error |
File History
1 commit
sha256:8915fe406161f95c1681f9469375e7bae5b28c884f00bedbdef65e4b0cd0738d
docs(flow): commit FLOW-V0-SPEC.md hygiene for 7A-INT merge
Human
20 hours ago