From 5a1817e4f52d8568bdc3e7eea20d0769405283b5 Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Thu, 31 Jul 2025 15:42:36 +0000
Subject: [PATCH] pipline build v26 - TAG GCP added, deploy_all.sh updated

---
 .woodpecker.yml | 78 ++++++++++++++++++++++---------------------------
 deploy_all.sh   | 10 ++++++-
 2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 7c61ce5..3c4c437 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,53 +1,45 @@
-steps:
-  ssh-test:
-    image: google/cloud-sdk:latest
-    entrypoint:
-      - bash
-      - -c
-      - |
-        set -euo pipefail
+- name: ssh-test
+  image: google/cloud-sdk:latest
+  entrypoint:
+    - bash
+    - -c
+    - |
+      set -euo pipefail
 
-        mkdir -p ~/.ssh
+      mkdir -p ~/.ssh
 
-        # ── Inject known-hosts and SSH key ──────────────────────────────
-        gcloud secrets versions access latest \
-          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
-          | base64 -d > ~/.ssh/known_hosts
-        chmod 644 ~/.ssh/known_hosts
+      # ── Inject known-hosts and SSH key ───────────────────────────────
+      gcloud secrets versions access latest \
+        --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
+        | base64 -d > ~/.ssh/known_hosts
+      chmod 644 ~/.ssh/known_hosts
 
-        gcloud secrets versions access latest \
-          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
-          | base64 -d > ~/.ssh/id_ed25519
-        chmod 600 ~/.ssh/id_ed25519
+      gcloud secrets versions access latest \
+        --secret=STAGING_SSH_KEY --project=aptivaai-dev \
+        | base64 -d > ~/.ssh/id_ed25519
+      chmod 600 ~/.ssh/id_ed25519
 
-        echo "🔑 SSH prerequisites installed"
+      echo "🔑 SSH prerequisites installed"
 
-        # ── Grab full commit SHA and slice tag ──────────────────────────
-        echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}"
-        TAG="${CI_COMMIT_SHA:-}"
-        if [ -z "$TAG" ]; then
-          echo "❌ CI_COMMIT_SHA is blank. Aborting."
-          exit 1
-        fi
-        TAG=$(echo "$TAG" | head -c 8)
-        echo "🚀 Deploying tag ${TAG} to staging"
+      # ── Fetch IMG_TAG from canonical source ───────────────────────────
+      IMG_TAG=$(gcloud secrets versions access latest \
+        --secret=IMG_TAG --project=aptivaai-dev)
+      echo "📦 IMG_TAG=${IMG_TAG}"
 
-        # ── SSH into staging and refresh the stack ──────────────────────
-        ssh -o StrictHostKeyChecking=yes \
-            -i ~/.ssh/id_ed25519 \
-            jcoakley@10.128.0.12 \
-            "export IMG_TAG=${TAG}; \
-             cd /home/jcoakley/aptiva-staging-app; \
-             echo 'IMG_TAG = ${IMG_TAG}'; \
-             echo '→ Pulling containers'; \
-             docker compose pull; \
-             echo '→ Recreating services'; \
-             docker compose up -d --force-recreate --remove-orphans; \
-             echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
-
-environment:
-  CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+      # ── SSH into staging and refresh the stack ───────────────────────
+      ssh -o StrictHostKeyChecking=yes \
+          -i ~/.ssh/id_ed25519 \
+          jcoakley@10.128.0.12 \
+          "export IMG_TAG=${IMG_TAG}; \
+           cd /home/jcoakley/aptiva-staging-app; \
+           echo 'IMG_TAG = ${IMG_TAG}'; \
+           echo '→ Pulling containers'; \
+           docker compose pull; \
+           echo '→ Recreating services'; \
+           docker compose up -d --force-recreate --remove-orphans; \
+           echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
 
+secrets: [ gcp-creds ]
 when:
   event:
     - push
diff --git a/deploy_all.sh b/deploy_all.sh
index f15512e..37a0d78 100755
--- a/deploy_all.sh
+++ b/deploy_all.sh
@@ -41,6 +41,15 @@ else
 fi
 echo "✅  .env updated with IMG_TAG=${TAG}"
 
+# ─────────────────────────────────────────────────────────────
+# 1a. Publish IMG_TAG to GCP Secret Manager (canonical source)
+# ─────────────────────────────────────────────────────────────
+echo "${TAG}" | gcloud secrets versions add IMG_TAG_DEV1 \
+  --data-file=- \
+  --project="$PROJECT"
+
+echo "📦  IMG_TAG pushed to Secret Manager as IMG_TAG_DEV1"
+
 # ─────────────────────────────────────────────────────────────
 # 2. Export secrets straight from Secret Manager
 #    (they live only in this shell, never on disk)
@@ -61,7 +70,6 @@ export FROM_SECRETS_MANAGER=true
 # Preserve only the variables docker‑compose needs for expansion
 preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")
 
-
 echo "🚀  docker compose up -d (with preserved env: $preserve)"
 sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN