fix(deploy): inject runtime secrets and force-recreate containers on deploy
Some checks failed
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m33s
Deploy — Staging / Build & push — admin (push) Successful in 57s
Deploy — Staging / Build & push — storefront (push) Successful in 58s
Deploy — Staging / Deploy to staging VPS (push) Failing after 18s
Some checks failed
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m33s
Deploy — Staging / Build & push — admin (push) Successful in 57s
Deploy — Staging / Build & push — storefront (push) Successful in 58s
Deploy — Staging / Deploy to staging VPS (push) Failing after 18s
- Add --force-recreate to podman compose up so stale containers are never reused across deploys when the image tag (staging) is reused - Inject CLERK_SECRET_KEY and ADMIN_CLERK_SECRET_KEY from Gitea secrets into ~/staging/.env on the VPS via printf (variables expand on the runner before SSH, so secrets never touch VPS shell history; file gets chmod 600) - Update compose.yml: storefront gets CLERK_SECRET_KEY, admin gets CLERK_SECRET_KEY mapped from ADMIN_CLERK_SECRET_KEY Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -175,6 +175,8 @@ jobs:
|
|||||||
SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
|
SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
|
||||||
SSH_USER: ${{ secrets.STAGING_SSH_USER }}
|
SSH_USER: ${{ secrets.STAGING_SSH_USER }}
|
||||||
SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
|
SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
|
||||||
|
CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }}
|
||||||
|
ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }}
|
||||||
run: |
|
run: |
|
||||||
REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
|
REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
|
||||||
|
|
||||||
@@ -204,13 +206,18 @@ jobs:
|
|||||||
mkdir -p /opt/staging
|
mkdir -p /opt/staging
|
||||||
|
|
||||||
# Decode the compose file that was base64-encoded on the runner.
|
# Decode the compose file that was base64-encoded on the runner.
|
||||||
# Runtime secrets (CLERK_SECRET_KEY, etc.) should be added manually
|
|
||||||
# to /opt/staging/.env on the VPS after first deploy.
|
|
||||||
echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
|
echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
|
||||||
touch /opt/staging/.env
|
|
||||||
|
# Write runtime secrets to .env — variables expand on the runner before
|
||||||
|
# being sent over SSH, so secrets never appear in VPS shell history.
|
||||||
|
# printf keeps every line indented (no column-0 content) so YAML stays valid.
|
||||||
|
printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\n' \
|
||||||
|
"${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" \
|
||||||
|
> $HOME/staging/.env
|
||||||
|
chmod 600 $HOME/staging/.env
|
||||||
|
|
||||||
cd /opt/staging
|
cd /opt/staging
|
||||||
podman compose up -d --remove-orphans
|
podman compose up -d --force-recreate --remove-orphans
|
||||||
|
|
||||||
# Remove dangling images from previous deploys
|
# Remove dangling images from previous deploys
|
||||||
podman image prune -f
|
podman image prune -f
|
||||||
|
|||||||
@@ -9,6 +9,8 @@ services:
|
|||||||
env_file:
|
env_file:
|
||||||
- path: .env
|
- path: .env
|
||||||
required: false
|
required: false
|
||||||
|
environment:
|
||||||
|
- CLERK_SECRET_KEY
|
||||||
|
|
||||||
admin:
|
admin:
|
||||||
image: ${REGISTRY}/admin:staging
|
image: ${REGISTRY}/admin:staging
|
||||||
@@ -18,3 +20,5 @@ services:
|
|||||||
env_file:
|
env_file:
|
||||||
- path: .env
|
- path: .env
|
||||||
required: false
|
required: false
|
||||||
|
environment:
|
||||||
|
- CLERK_SECRET_KEY=${ADMIN_CLERK_SECRET_KEY}
|
||||||
|
|||||||
Reference in New Issue
Block a user