From a696106c28a67aaf773bd81b6cf7f9f3d0fc8ab2 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 6 Aug 2025 22:41:24 +0000 Subject: [PATCH] pipeline --- .woodpecker.yml | 108 +++++++++++++++++++++++------------------------- 1 file changed, 52 insertions(+), 56 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 06be373..63ba6f5 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -1,77 +1,73 @@ -# .woodpecker.yml (only the relevant step shown) +--- +kind: pipeline +type: docker +name: ssh-test + steps: - - name: deploy-staging + - name: ssh-test image: google/cloud-sdk:latest entrypoint: - bash - - -euco + - -c - | - ##################################################################### - # 1) PARAMETERS # - ##################################################################### - PROJECT=aptivaai-dev # GCP project that holds secrets - ENV=staging # <‑‑ change once, covers suffixes - HOST=10.128.0.12 # staging VM - SSH_USER=jcoakley + set -euo pipefail - # One authoritative list of secret names (same as deploy_all.sh) - SECRETS=( - JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD - STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET - STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR - STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR - DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD - DB_SSL_CERT DB_SSL_KEY DB_SSL_CA - TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID - KMS_KEY_NAME DEK_PATH # ← NEW - ) - - ##################################################################### - # 2) SSH prerequisites # - ##################################################################### mkdir -p ~/.ssh + + # ── Inject known-hosts and SSH key ─────────────────────────────── gcloud secrets versions access latest \ - --secret=STAGING_KNOWN_HOSTS --project="$PROJECT" | base64 -d \ - > ~/.ssh/known_hosts + --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ + | base64 -d > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts gcloud secrets versions access latest \ - --secret=STAGING_SSH_KEY --project="$PROJECT" | base64 -d \ - > ~/.ssh/id_ed25519 + --secret=STAGING_SSH_KEY --project=aptivaai-dev \ + | base64 -d > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 - echo "🔑 SSH key & known‑hosts installed" + echo "🔑 SSH prerequisites installed" - ##################################################################### - # 3) Build the remote export block # - ##################################################################### - export_block="PROJECT=${PROJECT}; ENV=${ENV}; " - export_block+="IMG_TAG=\$(gcloud secrets versions access latest \ - --secret=IMG_TAG --project=\${PROJECT}); export IMG_TAG; " + # ── SSH into staging and deploy ────────────────────────────────── + ssh -o StrictHostKeyChecking=yes \ + -i ~/.ssh/id_ed25519 \ + jcoakley@10.128.0.12 \ + 'set -euo pipefail + PROJECT=aptivaai-dev + ENV=staging # ← or “dev”, “prod”, etc. + IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT) + export IMG_TAG - for S in "${SECRETS[@]}"; do - export_block+="${S}=\$(gcloud secrets versions access latest \ - --secret=${S}_${ENV} --project=\${PROJECT}); export ${S}; " - done + # pull every secret in the SECRETS array + declare -a SECRETS=( + JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD + STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET + STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR + STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR + DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD + DB_SSL_CERT DB_SSL_KEY DB_SSL_CA + TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID + KMS_KEY_NAME DEK_PATH + ) + for S in "${SECRETS[@]}"; do + # no quotes on the left‑hand side + export ${S}="$(gcloud secrets versions access latest \ + --secret="${S}_${ENV}" --project="$PROJECT")" + done + export FROM_SECRETS_MANAGER=true - export_block+="export FROM_SECRETS_MANAGER=true; " + cd /home/jcoakley/aptiva-staging-app + # build the --preserve-env list dynamically so new vars flow through + preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]}) + sudo --preserve-env="$preserve" docker compose pull + sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans - ##################################################################### - # 4) Remote docker‑compose update # - ##################################################################### - export_block+="cd /home/${SSH_USER}/aptiva-staging-app; " - # Include every exported var in --preserve-env - preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]}) - export_block+="sudo --preserve-env=${preserve} docker compose pull; " - export_block+="sudo --preserve-env=${preserve} \ - docker compose up -d --force-recreate --remove-orphans; " - export_block+="echo '✅ Staging stack refreshed with tag \$IMG_TAG';" + echo "✅ Staging stack refreshed with tag $IMG_TAG" + ' - ##################################################################### - # 5) Execute over SSH # - ##################################################################### - ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 \ - "${SSH_USER}@${HOST}" "${export_block}" secrets: - STAGING_SSH_KEY - STAGING_KNOWN_HOSTS + +when: + event: + - push