From 8a84621b5aa2f9adcef7d0f55965dec536ae8f6c Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Thu, 31 Jul 2025 16:12:54 +0000
Subject: [PATCH] pipeline build v30 - added GCP secrets to script

---
 .woodpecker.yml | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 772edfa..dd21a17 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -27,13 +27,36 @@ steps:
             -i ~/.ssh/id_ed25519 \
             jcoakley@10.128.0.12 \
             'set -euo pipefail; \
-             IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev); \
+             cd /home/jcoakley/aptiva-staging-app; \
+
+             # ── Pull canonical IMG_TAG ────────────────────────────────
+             IMG_TAG=$(gcloud secrets versions access latest \
+               --secret=IMG_TAG --project=aptivaai-dev); \
              export IMG_TAG; \
              echo "📦 IMG_TAG=$IMG_TAG"; \
-             cd /home/jcoakley/aptiva-staging-app; \
-             echo "IMG_TAG = $IMG_TAG"; \
-             sudo --preserve-env=IMG_TAG docker compose pull; \
-             sudo --preserve-env=IMG_TAG docker compose up -d --force-recreate --remove-orphans; \
+
+             # ── Inject sensitive secrets runtime-only ─────────────────
+             ENV=staging; \
+             PROJECT=aptivaai-dev; \
+             SECRETS=( \
+               JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD \
+               STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \
+               STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR \
+               STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR \
+               DB_HOST DB_PORT DB_USER DB_PASSWORD \
+               TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID \
+             ); \
+             for S in "${SECRETS[@]}"; do \
+               export "$S"="$(gcloud secrets versions access latest \
+                 --secret="${S}_${ENV}" --project="$PROJECT")"; \
+             done; \
+             export FROM_SECRETS_MANAGER=true; \
+
+             # ── Compose with env preserved ────────────────────────────
+             preserve=IMG_TAG,FROM_SECRETS_MANAGER,$(IFS=,; echo "${SECRETS[*]}"); \
+             echo "🚀 docker compose up with envs: $preserve"; \
+             sudo --preserve-env="$preserve" docker compose pull; \
+             sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans; \
              echo "✅ Staging stack refreshed with tag $IMG_TAG"'
 
     secrets: