pipline build v26 - TAG GCP added, deploy_all.sh updated

2025-07-31 15:42:36 +00:00 · 2025-07-31 15:42:36 +00:00 · 5a1817e4f5
commit 5a1817e4f5
parent 0d6b3c2e5b
2 changed files with 44 additions and 44 deletions
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -1,5 +1,4 @@
-steps:
-  ssh-test:
+- name: ssh-test
  image: google/cloud-sdk:latest
  entrypoint:
    - bash
@ -9,7 +8,7 @@ steps:

      mkdir -p ~/.ssh

-        # ── Inject known-hosts and SSH key ──────────────────────────────
+      # ── Inject known-hosts and SSH key ───────────────────────────────
      gcloud secrets versions access latest \
        --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
        | base64 -d > ~/.ssh/known_hosts
@ -22,21 +21,16 @@ steps:

      echo "🔑 SSH prerequisites installed"

-        # ── Grab full commit SHA and slice tag ──────────────────────────
-        echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}"
-        TAG="${CI_COMMIT_SHA:-}"
-        if [ -z "$TAG" ]; then
-          echo "❌ CI_COMMIT_SHA is blank. Aborting."
-          exit 1
-        fi
-        TAG=$(echo "$TAG" | head -c 8)
-        echo "🚀 Deploying tag ${TAG} to staging"
+      # ── Fetch IMG_TAG from canonical source ───────────────────────────
+      IMG_TAG=$(gcloud secrets versions access latest \
+        --secret=IMG_TAG --project=aptivaai-dev)
+      echo "📦 IMG_TAG=${IMG_TAG}"

-        # ── SSH into staging and refresh the stack ──────────────────────
+      # ── SSH into staging and refresh the stack ───────────────────────
      ssh -o StrictHostKeyChecking=yes \
          -i ~/.ssh/id_ed25519 \
          jcoakley@10.128.0.12 \
-            "export IMG_TAG=${TAG}; \
+          "export IMG_TAG=${IMG_TAG}; \
           cd /home/jcoakley/aptiva-staging-app; \
           echo 'IMG_TAG = ${IMG_TAG}'; \
           echo '→ Pulling containers'; \
@ -45,9 +39,7 @@ steps:
           docker compose up -d --force-recreate --remove-orphans; \
           echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"

-environment:
-  CI_COMMIT_SHA: ${CI_COMMIT_SHA}
-
+secrets: [ gcp-creds ]
 when:
  event:
    - push
--- a/deploy_all.sh
+++ b/deploy_all.sh
@ -41,6 +41,15 @@ else
 fi
 echo "✅  .env updated with IMG_TAG=${TAG}"

+# ─────────────────────────────────────────────────────────────
+# 1a. Publish IMG_TAG to GCP Secret Manager (canonical source)
+# ─────────────────────────────────────────────────────────────
+echo "${TAG}" | gcloud secrets versions add IMG_TAG_DEV1 \
+  --data-file=- \
+  --project="$PROJECT"
+
+echo "📦  IMG_TAG pushed to Secret Manager as IMG_TAG_DEV1"
+
 # ─────────────────────────────────────────────────────────────
 # 2. Export secrets straight from Secret Manager
 #    (they live only in this shell, never on disk)
@ -61,7 +70,6 @@ export FROM_SECRETS_MANAGER=true
 # Preserve only the variables docker‑compose needs for expansion
 preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")

-
 echo "🚀  docker compose up -d (with preserved env: $preserve)"
 sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN