From af8e14c5450bbca30283fbcc22b0009404d332a1 Mon Sep 17 00:00:00 2001
From: ianshaloom <naimoolsha@gmail.com>
Date: Sun, 8 Mar 2026 12:42:06 +0300
Subject: [PATCH] fix(deploy): inject runtime secrets and force-recreate
 containers on deploy

- Add --force-recreate to podman compose up so stale containers are never
  reused across deploys when the image tag (staging) is reused
- Inject CLERK_SECRET_KEY and ADMIN_CLERK_SECRET_KEY from Gitea secrets into
  ~/staging/.env on the VPS via printf (variables expand on the runner before
  SSH, so secrets never touch VPS shell history; file gets chmod 600)
- Update compose.yml: storefront gets CLERK_SECRET_KEY, admin gets
  CLERK_SECRET_KEY mapped from ADMIN_CLERK_SECRET_KEY

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-staging.yml | 15 +++++++++++----
 deploy/staging/compose.yml          |  4 ++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml
index a8c8fd4..92299cb 100644
--- a/.gitea/workflows/deploy-staging.yml
+++ b/.gitea/workflows/deploy-staging.yml
@@ -175,6 +175,8 @@ jobs:
           SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
           SSH_USER: ${{ secrets.STAGING_SSH_USER }}
           SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
+          CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }}
+          ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }}
         run: |
           REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
 
@@ -204,13 +206,18 @@ jobs:
           mkdir -p /opt/staging
 
           # Decode the compose file that was base64-encoded on the runner.
-          # Runtime secrets (CLERK_SECRET_KEY, etc.) should be added manually
-          # to /opt/staging/.env on the VPS after first deploy.
           echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
-          touch /opt/staging/.env
+
+          # Write runtime secrets to .env — variables expand on the runner before
+          # being sent over SSH, so secrets never appear in VPS shell history.
+          # printf keeps every line indented (no column-0 content) so YAML stays valid.
+          printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\n' \
+            "${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" \
+            > $HOME/staging/.env
+          chmod 600 $HOME/staging/.env
 
           cd /opt/staging
-          podman compose up -d --remove-orphans
+          podman compose up -d --force-recreate --remove-orphans
 
           # Remove dangling images from previous deploys
           podman image prune -f
diff --git a/deploy/staging/compose.yml b/deploy/staging/compose.yml
index 52cd351..ce7018a 100644
--- a/deploy/staging/compose.yml
+++ b/deploy/staging/compose.yml
@@ -9,6 +9,8 @@ services:
     env_file:
       - path: .env
         required: false
+    environment:
+      - CLERK_SECRET_KEY
 
   admin:
     image: ${REGISTRY}/admin:staging
@@ -18,3 +20,5 @@ services:
     env_file:
       - path: .env
         required: false
+    environment:
+      - CLERK_SECRET_KEY=${ADMIN_CLERK_SECRET_KEY}