-
Notifications
You must be signed in to change notification settings - Fork 2
133 lines (113 loc) · 5.24 KB
/
backup.yml
File metadata and controls
133 lines (113 loc) · 5.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Supabase Disaster Recovery Backup
on:
# Run daily at 02:00 IST (20:30 UTC previous day)
schedule:
- cron: '30 20 * * *'
# Allow manual trigger
workflow_dispatch:
jobs:
backup:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install PostgreSQL 17 client tools
run: |
# Add PostgreSQL 17 repository
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update
# Install PostgreSQL 17 client tools
sudo apt-get install -y postgresql-client-17
# Set up alternatives to use PostgreSQL 17 by default
sudo update-alternatives --install /usr/bin/psql psql /usr/lib/postgresql/17/bin/psql 100
sudo update-alternatives --install /usr/bin/pg_dump pg_dump /usr/lib/postgresql/17/bin/pg_dump 100
sudo update-alternatives --install /usr/bin/pg_restore pg_restore /usr/lib/postgresql/17/bin/pg_restore 100
- name: Verify tools installation
run: |
psql --version
pg_dump --version
pg_restore --version
- name: Create backup directory
run: mkdir -p supabase_snapshot
- name: Verify SUPABASE_DB_URL is set
env:
SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
run: |
if [ -z "$SUPABASE_DB_URL" ]; then
echo "❌ ERROR: SUPABASE_DB_URL is not set!"
echo "Please add SUPABASE_DB_URL to your repository secrets."
exit 1
else
echo "✅ SUPABASE_DB_URL is set (length: ${#SUPABASE_DB_URL} characters)"
fi
- name: Run backup script
env:
SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
run: |
chmod +x backup.sh
# Explicitly export the environment variable
export SUPABASE_DB_URL="${SUPABASE_DB_URL}"
# Ensure PostgreSQL 17 binaries are in PATH
export PATH="/usr/lib/postgresql/17/bin:$PATH"
./backup.sh
- name: List backup files
run: |
echo "Backup files created:"
ls -lh supabase_snapshot/
- name: Encrypt backup files
env:
BACKUP_ENCRYPTION_KEY: ${{ secrets.BACKUP_ENCRYPTION_KEY }}
run: |
echo "🔒 Encrypting backup files..."
# Check if encryption key is set
if [ -z "$BACKUP_ENCRYPTION_KEY" ]; then
echo "❌ ERROR: BACKUP_ENCRYPTION_KEY is not set!"
echo "Please add BACKUP_ENCRYPTION_KEY to your repository secrets."
echo "This is required to encrypt backups in a public repository."
exit 1
fi
# Create encrypted archive
tar -czf supabase_snapshot.tar.gz supabase_snapshot/
# Encrypt using GPG with symmetric encryption
echo "$BACKUP_ENCRYPTION_KEY" | gpg --batch --yes --passphrase-fd 0 --symmetric --cipher-algo AES256 -o supabase_snapshot.tar.gz.gpg supabase_snapshot.tar.gz
# Remove unencrypted files
rm -rf supabase_snapshot/
rm supabase_snapshot.tar.gz
echo "✅ Backup encrypted successfully"
ls -lh supabase_snapshot.tar.gz.gpg
- name: Upload encrypted backup artifacts
uses: actions/upload-artifact@v4
with:
name: supabase-backup-encrypted-${{ github.run_number }}-${{ github.run_attempt }}
path: supabase_snapshot.tar.gz.gpg
retention-days: 30
compression-level: 0
- name: Generate job summary
if: always()
run: |
echo "# Supabase Backup Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Date:** $(date)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "🔒 **Security:** Backup is encrypted with AES256" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f supabase_snapshot.tar.gz.gpg ]; then
echo "## Encrypted Backup File" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| File | Size |" >> $GITHUB_STEP_SUMMARY
echo "|------|------|" >> $GITHUB_STEP_SUMMARY
size=$(du -h supabase_snapshot.tar.gz.gpg | cut -f1)
echo "| supabase_snapshot.tar.gz.gpg | $size |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## How to Decrypt" >> $GITHUB_STEP_SUMMARY
echo '```bash' >> $GITHUB_STEP_SUMMARY
echo "# Download the artifact, then run:" >> $GITHUB_STEP_SUMMARY
echo "gpg --decrypt supabase_snapshot.tar.gz.gpg > supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY
echo "tar -xzf supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Backup completed successfully!" >> $GITHUB_STEP_SUMMARY