inline

.woodpecker.yml

@@ -112,7 +112,6 @@ steps:
         [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
 
         mkdir -p ~/.ssh
-
         gcloud secrets versions access latest \
           --secret=PROD_SSH_KEY --project=aptivaai-dev \
           | base64 -d > ~/.ssh/id_ed25519
@@ -124,21 +123,20 @@ steps:
         echo "🔑 SSH prerequisites installed"
         echo "🚀 Deploying tag $IMG_TAG to prod server $PROD_SSH_TARGET"
 
-        cat <<EOSSH | ssh -T \
+        ssh -T \
           -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
-            --project=aptivaai-prod --zone=us-central1-a \
+          --project=aptivaai-prod --zone=us-central1-a \
-            --listen-on-stdin --verbosity=error" \
+          --listen-on-stdin --verbosity=error" \
           -o StrictHostKeyChecking=accept-new \
           -i ~/.ssh/id_ed25519 \
-          "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG"
+          "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG" <<'EOF'
+          set -euo pipefail
+          IMG_TAG="${1:?IMG_TAG arg missing}"
+          export IMG_TAG
 
-        set -euo pipefail
+          PROJECT=aptivaai-prod
-        IMG_TAG="\${1:?IMG_TAG arg missing}"
+          ENV=prod
-        export IMG_TAG
+          export PROJECT ENV
-
-        PROJECT=aptivaai-prod
-        ENV=prod
-        export PROJECT ENV
 
             # Pull runtime secrets (unchanged list)
             JWT_SECRET="$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project="$PROJECT")"; export JWT_SECRET