Fix services restart script

drcrazy · drcrazy · commit 23ccad0a2e1d · 2026-04-28T22:30:31.000+03:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -8,7 +8,10 @@
 #
 # Optional:
 #   DEPLOY_PORT       — SSH port (default 22)
-#   DEPLOY_COMMAND    — command to run after rsync (e.g. sudo systemctl restart myapp). If unset, only files are synced.
+#   DEPLOY_COMMAND    — command to run after rsync (e.g. sudo /usr/local/bin/restart-workspace.sh). If unset, only files are synced.
+#   For "sudo: a terminal is required" / "password is required" from the deploy user: that user must
+#   have a sudoers NOPASSWD rule for the exact command. Test on the server: sudo -n true and
+#   sudo -n /path/to/restart-workspace.sh (no prompt). See deploy/restart-workspace.sh comments.
 
 name: Build and deploy
 
@@ -91,7 +94,8 @@ jobs:
             exit 0
           fi
           PORT="${DEPLOY_PORT:-22}"
-          # shell over SSH: cd then run your restart script or systemctl
-          ssh -p "$PORT" -o StrictHostKeyChecking=yes \
+          # -tt: allocate a TTY (helps if sudoers has requiretty; CI has no TTY by default)
+          # Passwordless sudo (NOPASSWD) for the exact path is still required; see repo deploy/restart-workspace.sh
+          ssh -tt -p "$PORT" -o StrictHostKeyChecking=yes \
             "${DEPLOY_USER}@${DEPLOY_HOST}" \
             bash -lc "cd $(printf %q "$DEPLOY_PATH") && $DEPLOY_COMMAND"
diff --git a/deploy/restart-workspace.sh b/deploy/restart-workspace.sh
@@ -4,8 +4,22 @@
 # One-time on the server:
 #   sudo install -m 755 -o root -g root deploy/restart-workspace.sh /usr/local/bin/restart-workspace.sh
 #
-# Sudoers for the CI/deploy user (use visudo), allow only this script, no password:
-#   deploy ALL=(ALL) NOPASSWD: /usr/local/bin/restart-workspace.sh
+# Sudo: GitHub Actions is non-interactive, so the SSH user (same as secret DEPLOY_USER) must
+# be allowed to run *exactly* this path without a password. Create a file, e.g. with visudo:
+#   /etc/sudoers.d/99-restart-workspace
+#   ----
+#   replace USERNAME with your deploy/SSH user (e.g. adept, deploy, github)
+#   USERNAME ALL=(root) NOPASSWD: /usr/local/bin/restart-workspace.sh
+#   ----
+#   sudo chmod 440 /etc/sudoers.d/99-restart-workspace
+#
+# Verify as the deploy/SSH user (must succeed, exit 0, no password prompt):
+#   sudo -n /usr/local/bin/restart-workspace.sh
+#
+# If you see "a password is required" from CI, the rule does not match: wrong user, path, or typo.
+# If you see TTY / requiretty issues, /etc/ssh/ssh_config or the workflow uses -tt; also try
+#   Defaults!USERNAME !requiretty
+# in a sudoers drop-in (use visudo).
 #
 # GitHub Actions secret DEPLOY_COMMAND:
 #   sudo /usr/local/bin/restart-workspace.sh
