bd808 added a comment.
In T399485#11007690 <https://phabricator.wikimedia.org/T399485#11007690>, @Xqt wrote: > Proxy usage sounds promising . It’s usage is already available through requests package: > > - https://www.mediawiki.org/wiki/Manual:Pywikibot/Installation > - https://requests.readthedocs.io/en/latest/user/advanced/#proxies Nice. The steps to test this out then are probably something like: [ ] @xqt makes a Developer account specifically to act as the credential holder that can build an ssh SOCKS5 tunnel from GitHub Actions to bastion.wmcloud.org. [ ] @xqt adds an ssh public key to that new Developer account and keeps track of the associated public key for the GitHub Actions configuration. [ ] @xqt asks @bd808 to make the new Developer account a member of the bastion project so it can ssh in. [ ] @bd808 does the needful [ ] @xqt figures out how to add config to the GitHub Actions to establish an ssh tunnel from the Action runner to bastion.wmcloud.org. A pure cli way to do this would be something like `ssh -o StrictHostKeyChecking=accept-new -f -N -D 127.0.0.1:1080 -i $PRIVATE_KEY_FILE [email protected]` - `-o StrictHostKeyChecking=accept-new`: Accept offered host key for any host not already in the known hosts file - `-f`: Background ssh process after connecting - `-N`: Do not exec a remote command - `-D 127.0.0.1:1080`: Create a SOCKS5 proxy listening on 127.0.0.1:1080 and terminated on the ssh connected host - `-i $PRIVATE_KEY_FILE`: Use the private key in $PRIVATE_KEY_FILE [ ] @Xqt adds the needed equivalent of `export HTTPS_PROXY="socks5h://127.0.0.1:1080"` to the GitHub Actions to tell requests to proxy traffic though the tunnel and do DNS resolution on the proxy termination side so that the internal network IPs are contacted when traffic flows over the tunnel. There are some weird things that might happen if the DNS is done outside the Cloud VPS network. Public IPv4 addresses in Cloud VPS work in ways that are sometimes confusing. Safely storing and using the ssh private key from GitHub Actions is something that @Xqt should research as part of this too. This is TASK DETAIL https://phabricator.wikimedia.org/T399485 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/
_______________________________________________ pywikibot-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
