From 8765608603b83588b06c5eb9ddfdef894e692dda Mon Sep 17 00:00:00 2001
From: admin <admin@gitea.local>
Date: Wed, 4 Mar 2026 20:31:20 +0000
Subject: [PATCH] fix: scp dotfile bug, remote mkdir, registry auth, SSH -T
 flag

---
 .gitea/workflows/deploy.yml | 55 +++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 24 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 82e8962..ce34733 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
     environment: production
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -53,7 +53,7 @@ jobs:
       - name: Prepare deployment files
         run: |
           mkdir -p deployment/tmp
-          
+
           # Create .env.production
           cat > deployment/tmp/.env.production << EOF
           PORT=${{ secrets.PORT || '8080' }}
@@ -67,38 +67,38 @@ jobs:
           FIREBASE_STORAGE_BUCKET=${{ secrets.FIREBASE_STORAGE_BUCKET }}
           FIREBASE_CREDENTIALS_FILE=${{ secrets.FIREBASE_CREDENTIALS_FILE_PATH || './firebase-credentials.json' }}
           EOF
-          
+
           # Create deployment script
           cat > deployment/tmp/deploy.sh << 'DEPLOY_SCRIPT'
           #!/bin/bash
           set -e
-          
+
           IMAGE_NAME="${{ env.IMAGE_NAME }}"
           IMAGE_TAG="${{ env.IMAGE_TAG }}"
           CONTAINER_NAME="jd-book-uploader"
-          
+
           set -a
           source .env.production
           set +a
-          
+
           # Stop existing container
           if podman ps -a --format "{{.Names}}" | grep -q "^${CONTAINER_NAME}$"; then
             podman stop "${CONTAINER_NAME}" 2>/dev/null || true
             podman rm "${CONTAINER_NAME}" 2>/dev/null || true
           fi
-          
+
           # Load image if artifact provided
           if [ -f image.tar ]; then
             podman load -i image.tar
             rm -f image.tar
           fi
-          
+
           # Pull from registry if configured
           if [ -n "${{ env.REGISTRY }}" ]; then
-            podman pull "${{ env.REGISTRY }}/${IMAGE_NAME}:${IMAGE_TAG}"
+            podman pull --tls-verify=false "${{ env.REGISTRY }}/${IMAGE_NAME}:${IMAGE_TAG}"
             podman tag "${{ env.REGISTRY }}/${IMAGE_NAME}:${IMAGE_TAG}" "${IMAGE_NAME}:${IMAGE_TAG}"
           fi
-          
+
           # Build run command
           PODMAN_CMD=(
             podman run -d
@@ -107,7 +107,7 @@ jobs:
             --user root
             --restart=unless-stopped
           )
-          
+
           # Add environment variables
           while IFS='=' read -r key value; do
             [[ "$key" =~ ^#.*$ ]] && continue
@@ -117,19 +117,19 @@ jobs:
               PODMAN_CMD+=(-e "${key}=${value}")
             fi
           done < .env.production
-          
+
           # Mount Firebase credentials
           FIREBASE_CREDS="${FIREBASE_CREDENTIALS_FILE}"
           if [ -f "$FIREBASE_CREDS" ]; then
             PODMAN_CMD+=(-v "${FIREBASE_CREDS}:/app/firebase-credentials.json:ro,z")
             PODMAN_CMD+=(-e "FIREBASE_CREDENTIALS_FILE=/app/firebase-credentials.json")
           fi
-          
+
           PODMAN_CMD+=("${IMAGE_NAME}:${IMAGE_TAG}")
-          
+
           "${PODMAN_CMD[@]}"
           sleep 3
-          
+
           if podman ps --format "{{.Names}}" | grep -q "^${CONTAINER_NAME}$"; then
             echo "✓ Container started"
             podman logs "${CONTAINER_NAME}" --tail 20
@@ -139,32 +139,40 @@ jobs:
             exit 1
           fi
           DEPLOY_SCRIPT
-          
+
           chmod +x deployment/tmp/deploy.sh
 
       - name: Transfer files
         run: |
-          scp -r deployment/tmp/* ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/deployment/
+          # Ensure remote deployment directory exists
+          ssh ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} "mkdir -p ${{ secrets.DEPLOY_PATH }}/deployment"
+          # Copy files explicitly — glob (*) skips dotfiles like .env.production
+          scp deployment/tmp/deploy.sh ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/deployment/
+          scp deployment/tmp/.env.production ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/deployment/
           if [ -f image.tar ]; then
             scp image.tar ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/image.tar
           fi
 
       - name: Deploy
         run: |
-          ssh ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} << ENDSSH
+          ssh -T ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} << ENDSSH
             set -e
             cd ${{ secrets.DEPLOY_PATH }}
-            
+
             if [ -f image.tar ]; then
               podman load -i image.tar
               rm -f image.tar
             fi
-            
+
             if [ ! -f "${{ secrets.FIREBASE_CREDENTIALS_FILE_PATH || './firebase-credentials.json' }}" ]; then
               echo "Error: Firebase credentials not found"
               exit 1
             fi
-            
+
+            if [ -n "${{ env.REGISTRY }}" ]; then
+              echo "${{ secrets.REGISTRY_PASSWORD }}" | podman login "${{ env.REGISTRY }}" -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin --tls-verify=false
+            fi
+
             cd deployment
             ./deploy.sh
           ENDSSH
@@ -173,7 +181,7 @@ jobs:
         run: |
           sleep 5
           HEALTH_URL="http://${{ secrets.DEPLOY_HOST }}:${{ secrets.PORT || '8080' }}/api/health"
-          
+
           for i in {1..10}; do
             if curl -f -s "$HEALTH_URL" > /dev/null; then
               echo "✓ Health check passed"
@@ -182,7 +190,6 @@ jobs:
             fi
             sleep 3
           done
-          
+
           echo "✗ Health check failed"
           exit 1
-