From 1e2dcd5f7cc7a0ca3c96b76f71a0af319ec4849f Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Thu, 31 Jul 2025 13:15:41 +0000
Subject: [PATCH] pipeline secrets injection test v4

---
 .woodpecker.yml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 5946fbc..e9da744 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -21,22 +21,23 @@ steps:
     event: [push, manual]
     branch: [master]
 
-# ── 2. Deploy to staging ────────────────────────────────
+# ── 2. Deploy to staging (GCP Secret Manager Injection) ──
 - name: deploy-staging
-  image: alpine:latest
-  environment:
-    STAGING_SSH_KEY_B64: <base64-encoded-key>
-    STAGING_KNOWN_HOSTS_B64: <base64-encoded-known-hosts>
+  image: gcr.io/google.com/cloudsdktool/cloud-sdk:latest
   commands:
     - |
       set -eu
-      apk add --no-cache openssh bash
-
       mkdir -p ~/.ssh
-      echo "$STAGING_KNOWN_HOSTS_B64" | base64 -d > ~/.ssh/known_hosts
-      echo "$STAGING_SSH_KEY_B64" | base64 -d > ~/.ssh/id_ed25519
+
+      # ⛓️ Pull and decode known_hosts
+      gcloud secrets versions access latest --secret="KNOWN_HOSTS_B64" --project="aptivaai-dev" | base64 -d > ~/.ssh/known_hosts
+      chmod 644 ~/.ssh/known_hosts
+
+      # 🔑 Pull and decode SSH key
+      gcloud secrets versions access latest --secret="STAGING_SSH_KEY_B64" --project="aptivaai-dev" | base64 -d > ~/.ssh/id_ed25519
       chmod 600 ~/.ssh/id_ed25519
 
+      # 🚀 Execute remote deploy
       TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
       ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 <<EOF
         cd /opt/aptiva-staging-app