Copilot rewrite

.woodpecker/prod.yml

@@ -94,27 +94,29 @@ steps:
 
         mkdir -p ~/.ssh
 
-        # Pull SSH materials for PROD from aptivaai-dev SM (same pattern as staging)
-
         gcloud secrets versions access latest \
           --secret=PROD_SSH_KEY --project=aptivaai-dev \
           | base64 -d > ~/.ssh/id_ed25519
         chmod 600 ~/.ssh/id_ed25519
 
         PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
 
         echo "🔑 SSH prerequisites installed"
 
-        # ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
-        ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
-          --project=aptivaai-prod --zone=us-central1-a \
-          --listen-on-stdin --verbosity=error" \
-          -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \
-          "$PROD_SSH_TARGET" \
-          set -euo pipefail; \
-            PROJECT=aptivaai-prod; \
-            ENV=prod; \
-            IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"; export IMG_TAG; \
+        echo '
+        set -euo pipefail
+        IMG_TAG="${1:?IMG_TAG arg missing}"
+        export IMG_TAG
+
+        PROJECT=aptivaai-prod
+        ENV=prod
+        export PROJECT ENV
+
+        # Optional sanity check
+        prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT)"
+        [ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }
+        
               # Pull all runtime secrets from aptivaai-prod
               JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
               OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \
@@ -162,6 +164,13 @@ steps:
               sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME \
                 docker compose up -d --force-recreate --remove-orphans; \
              echo "✅ Prod stack refreshed with tag $IMG_TAG"
+              ' | ssh -T \
+                -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
+                --project=aptivaai-prod --zone=us-central1-a \
+                --listen-on-stdin --verbosity=error" \
+                -o StrictHostKeyChecking=accept-new \
+                -i ~/.ssh/id_ed25519 \
+                "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG"
 
     secrets:
         - PROD_SSH_KEY