fix(deploy): inject runtime secrets and force-recreate containers on deploy
Some checks failed
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m33s
Deploy — Staging / Build & push — admin (push) Successful in 57s
Deploy — Staging / Build & push — storefront (push) Successful in 58s
Deploy — Staging / Deploy to staging VPS (push) Failing after 18s
Some checks failed
Deploy — Staging / Lint, Typecheck & Test (push) Successful in 1m33s
Deploy — Staging / Build & push — admin (push) Successful in 57s
Deploy — Staging / Build & push — storefront (push) Successful in 58s
Deploy — Staging / Deploy to staging VPS (push) Failing after 18s
- Add --force-recreate to podman compose up so stale containers are never reused across deploys when the image tag (staging) is reused - Inject CLERK_SECRET_KEY and ADMIN_CLERK_SECRET_KEY from Gitea secrets into ~/staging/.env on the VPS via printf (variables expand on the runner before SSH, so secrets never touch VPS shell history; file gets chmod 600) - Update compose.yml: storefront gets CLERK_SECRET_KEY, admin gets CLERK_SECRET_KEY mapped from ADMIN_CLERK_SECRET_KEY Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -175,6 +175,8 @@ jobs:
|
||||
SSH_HOST: ${{ secrets.STAGING_SSH_HOST }}
|
||||
SSH_USER: ${{ secrets.STAGING_SSH_USER }}
|
||||
SSH_PORT: ${{ secrets.STAGING_SSH_PORT }}
|
||||
CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }}
|
||||
ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }}
|
||||
run: |
|
||||
REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1)
|
||||
|
||||
@@ -204,13 +206,18 @@ jobs:
|
||||
mkdir -p /opt/staging
|
||||
|
||||
# Decode the compose file that was base64-encoded on the runner.
|
||||
# Runtime secrets (CLERK_SECRET_KEY, etc.) should be added manually
|
||||
# to /opt/staging/.env on the VPS after first deploy.
|
||||
echo "${COMPOSE_B64}" | base64 -d > /opt/staging/compose.yml
|
||||
touch /opt/staging/.env
|
||||
|
||||
# Write runtime secrets to .env — variables expand on the runner before
|
||||
# being sent over SSH, so secrets never appear in VPS shell history.
|
||||
# printf keeps every line indented (no column-0 content) so YAML stays valid.
|
||||
printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\n' \
|
||||
"${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" \
|
||||
> $HOME/staging/.env
|
||||
chmod 600 $HOME/staging/.env
|
||||
|
||||
cd /opt/staging
|
||||
podman compose up -d --remove-orphans
|
||||
podman compose up -d --force-recreate --remove-orphans
|
||||
|
||||
# Remove dangling images from previous deploys
|
||||
podman image prune -f
|
||||
|
||||
@@ -9,6 +9,8 @@ services:
|
||||
env_file:
|
||||
- path: .env
|
||||
required: false
|
||||
environment:
|
||||
- CLERK_SECRET_KEY
|
||||
|
||||
admin:
|
||||
image: ${REGISTRY}/admin:staging
|
||||
@@ -18,3 +20,5 @@ services:
|
||||
env_file:
|
||||
- path: .env
|
||||
required: false
|
||||
environment:
|
||||
- CLERK_SECRET_KEY=${ADMIN_CLERK_SECRET_KEY}
|
||||
|
||||
Reference in New Issue
Block a user