From 6e135d5a32461f2dd8250150f0846e5b3cd3d60f Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Fri, 12 Sep 2025 14:32:35 +0000
Subject: [PATCH] put the fucking .woodpecker.yml back in

---
 .woodpecker.yml | 170 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 170 insertions(+)
 create mode 100644 .woodpecker.yml

diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..2bf6f3d
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,170 @@
+---
+kind: pipeline
+type: docker
+name: staging-promotion
+
+steps:
+  - name: security-scan
+    image: google/cloud-sdk:latest
+    entrypoint:
+      - bash
+      - -c
+      - |
+        set -euo pipefail
+        if [ "${PROMOTE:-}" = "prod" ]; then echo "⏭  staging path skipped during prod promotion"; exit 0; fi
+        IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)
+        REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
+
+        apt-get update -qq
+        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
+
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
+        export PATH="$PATH:$(pwd)/bin"
+
+        gcloud auth configure-docker us-central1-docker.pkg.dev -q
+
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
+        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
+
+
+  - name: staging-deploy
+    depends_on: [security-scan]
+    image: google/cloud-sdk:latest
+    entrypoint:
+      - bash
+      - -c
+      - |
+        set -euo pipefail
+        if [ "${PROMOTE:-}" = "prod" ]; then echo "⏭  staging path skipped during prod promotion"; exit 0; fi
+        mkdir -p ~/.ssh
+
+        # ── Inject known-hosts and SSH key ───────────────────────────────
+        gcloud secrets versions access latest \
+          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/known_hosts
+        chmod 644 ~/.ssh/known_hosts
+
+        gcloud secrets versions access latest \
+          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+
+        echo "🔑 SSH prerequisites installed"
+
+        # ── SSH into staging and deploy ──────────────────────────────────
+        ssh -o StrictHostKeyChecking=yes \
+            -i ~/.ssh/id_ed25519 \
+            jcoakley@10.128.0.12 \
+            'set -euo pipefail; \
+             PROJECT=aptivaai-dev; \
+             ENV=staging; \
+             IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
+             export IMG_TAG; \
+             JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); \
+             export JWT_SECRET; \
+             OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); \
+             export OPENAI_API_KEY; \
+             ONET_USERNAME=$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project=$PROJECT); \
+             export ONET_USERNAME; \
+             ONET_PASSWORD=$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project=$PROJECT); \
+             export ONET_PASSWORD; \
+             STRIPE_SECRET_KEY=$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project=$PROJECT); \
+             export STRIPE_SECRET_KEY; \
+             STRIPE_PUBLISHABLE_KEY=$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project=$PROJECT); \
+             export STRIPE_PUBLISHABLE_KEY; \
+             STRIPE_WH_SECRET=$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project=$PROJECT); \
+             export STRIPE_WH_SECRET; \
+             STRIPE_PRICE_PREMIUM_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project=$PROJECT); \
+             export STRIPE_PRICE_PREMIUM_MONTH; \
+             STRIPE_PRICE_PREMIUM_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project=$PROJECT); \
+             export STRIPE_PRICE_PREMIUM_YEAR; \
+             STRIPE_PRICE_PRO_MONTH=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project=$PROJECT); \
+             export STRIPE_PRICE_PRO_MONTH; \
+             STRIPE_PRICE_PRO_YEAR=$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project=$PROJECT); \
+             export STRIPE_PRICE_PRO_YEAR; \
+             DB_NAME=$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project=$PROJECT); \
+             export DB_NAME; \
+             DB_HOST=$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project=$PROJECT); \
+             export DB_HOST; \
+             DB_PORT=$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project=$PROJECT); \
+             export DB_PORT; \
+             DB_USER=$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project=$PROJECT); \
+             export DB_USER; \
+             DB_PASSWORD=$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project=$PROJECT); \
+             export DB_PASSWORD; \
+             DB_SSL_CA=$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project=$PROJECT); \
+             export DB_SSL_CA; \
+             DB_SSL_CERT=$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project=$PROJECT); \
+             export DB_SSL_CERT; \
+             DB_SSL_KEY=$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project=$PROJECT); \
+             export DB_SSL_KEY; \
+             TWILIO_ACCOUNT_SID=$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project=$PROJECT); \
+             export TWILIO_ACCOUNT_SID; \
+             TWILIO_AUTH_TOKEN=$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project=$PROJECT); \
+             export TWILIO_AUTH_TOKEN; \
+             TWILIO_MESSAGING_SERVICE_SID=$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project=$PROJECT); \
+             export TWILIO_MESSAGING_SERVICE_SID; \
+             KMS_KEY_NAME=$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project=$PROJECT); \
+             export KMS_KEY_NAME; \
+             DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \
+             export DEK_PATH; \
+             SUPPORT_SENDGRID_API_KEY=$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project=$PROJECT); \
+             export SUPPORT_SENDGRID_API_KEY; \
+             GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); \
+             export GOOGLE_MAPS_API_KEY; \
+             SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); \
+             export SERVER1_PORT; \
+             SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); \
+             export SERVER2_PORT; \
+             SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); \
+             export SERVER3_PORT; \
+             ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); \
+             export ENV_NAME; \
+             CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); \
+             export CORS_ALLOWED_ORIGINS; \
+             APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); \
+             export APTIVA_API_BASE; \
+             TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); \
+             export TOKEN_MAX_AGE_MS; \
+             COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); \
+             export COOKIE_SECURE; \
+             COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); \
+             export COOKIE_SAMESITE; \
+             ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); \
+             export ACCESS_COOKIE_NAME; \
+             export FROM_SECRETS_MANAGER=true; \
+             \
+             # ── DEK sync: copy dev wrapped DEK into staging volume path ── \
+             if gcloud secrets describe WRAPPED_DEK_dev --project=$PROJECT >/dev/null 2>&1; then \
+               echo "🔁 Syncing dev DEK into staging volume"; \
+               gcloud secrets versions access latest --secret=WRAPPED_DEK_dev --project=$PROJECT > /tmp/dev_dek.enc; \
+               if [ -s /tmp/dev_dek.enc ]; then \
+                 sudo docker volume ls -q | grep -qx aptiva_dek_staging || sudo docker volume create aptiva_dek_staging >/dev/null; \
+                 sudo docker run --rm -v aptiva_dek_staging:/v -v /tmp:/host busybox sh -lc "set -e; mkdir -p /v/staging; cp -f /host/dev_dek.enc /v/staging/dek.enc; chown 1000:1000 /v/staging/dek.enc; chmod 400 /v/staging/dek.enc; rm -f /v/staging/dek.fpr; echo -n \"staging dek.enc bytes: \"; wc -c </v/staging/dek.enc; ls -l /v/staging"; \
+               else \
+                 echo "⚠️ WRAPPED_DEK_dev returned empty; skipping copy"; \
+               fi; \
+             else \
+               echo "ℹ️ WRAPPED_DEK_dev not found; leaving existing staging DEK alone"; \
+             fi; \
+             \
+             cd /home/jcoakley/aptiva-staging-app; \
+             sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
+               docker compose pull; \
+             sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
+               docker compose up -d --force-recreate --remove-orphans; \
+             echo "✅ Staging stack refreshed with tag $IMG_TAG"'
+
+    secrets:
+      - STAGING_SSH_KEY
+      - STAGING_KNOWN_HOSTS
+
+when:
+  event:
+    - push
+    - manual
+  branch:
+    - master
+    - dev-master