From d165e2b4d3d017f08d8f2c610a6c4ceb0fef49fb Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 31 Jul 2025 16:33:49 +0000 Subject: [PATCH] pipeline build v32 - GCP secret and syntax --- .woodpecker.yml | 156 +++++++++++++++++++++++++++++++----------------- 1 file changed, 101 insertions(+), 55 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index dd21a17..f563ca1 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -1,68 +1,114 @@ +--- +kind: pipeline +type: docker +name: build-and-deploy + +workspace: + base: /woodpecker + path: src + +clone: + depth: 50 + +volumes: + - name: docker-sock + host: + path: /var/run/docker.sock + steps: - - name: ssh-test - image: google/cloud-sdk:latest - entrypoint: - - bash - - -c + - name: build-and-push + image: docker:24.0-cli + privileged: true + volumes: + - name: docker-sock + path: /var/run/docker.sock + commands: + - | + set -eu + REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo + TAG=$(echo "$CI_COMMIT_SHA" | head -c 8) + + docker buildx create --use --name woodpecker || true + + for svc in server1 server2 server3 nginx; do + docker buildx build \ + -f Dockerfile.${svc} \ + -t ${REG}/${svc}:${TAG} \ + --push . + done + when: + event: [push, manual] + branch: [master] + + - name: deploy-staging + image: appleboy/drone-ssh + settings: + host: 10.128.0.12 + port: 22 + username: jcoakley + key: + from_secret: STAGING_SSH_KEY + known_hosts: + from_secret: STAGING_KNOWN_HOSTS + script: - | set -euo pipefail - mkdir -p ~/.ssh + ENV=dev + PROJECT=aptivaai-dev + ROOT=/opt/aptiva-staging-app + REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo + TAG=$(echo "$CI_COMMIT_SHA" | head -c 8) - # ── Inject known-hosts and SSH key ─────────────────────────────── - gcloud secrets versions access latest \ - --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ - | base64 -d > ~/.ssh/known_hosts - chmod 644 ~/.ssh/known_hosts + cd "$ROOT" + export IMG_TAG="$TAG" - gcloud secrets versions access latest \ - --secret=STAGING_SSH_KEY --project=aptivaai-dev \ - | base64 -d > ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + read -r -a SECRETS <<'EOF' + JWT_SECRET + OPENAI_API_KEY + ONET_USERNAME + ONET_PASSWORD + STRIPE_SECRET_KEY + STRIPE_PUBLISHABLE_KEY + STRIPE_WH_SECRET + STRIPE_PRICE_PREMIUM_MONTH + STRIPE_PRICE_PREMIUM_YEAR + STRIPE_PRICE_PRO_MONTH + STRIPE_PRICE_PRO_YEAR + DB_HOST + DB_PORT + DB_USER + DB_PASSWORD + TWILIO_ACCOUNT_SID + TWILIO_AUTH_TOKEN + TWILIO_MESSAGING_SERVICE_SID + EOF - echo "🔑 SSH prerequisites installed" + echo "🔐 Pulling secrets from Secret Manager" + for S in "${SECRETS[@]}"; do + export "$S"="$(gcloud secrets versions access latest \ + --secret="${S}_${ENV}" \ + --project="${PROJECT}")" + done - # ── SSH into staging and deploy ────────────────────────────────── - ssh -o StrictHostKeyChecking=yes \ - -i ~/.ssh/id_ed25519 \ - jcoakley@10.128.0.12 \ - 'set -euo pipefail; \ - cd /home/jcoakley/aptiva-staging-app; \ + export FROM_SECRETS_MANAGER=true - # ── Pull canonical IMG_TAG ──────────────────────────────── - IMG_TAG=$(gcloud secrets versions access latest \ - --secret=IMG_TAG --project=aptivaai-dev); \ - export IMG_TAG; \ - echo "📦 IMG_TAG=$IMG_TAG"; \ + preserve_vars=( + IMG_TAG + FROM_SECRETS_MANAGER + $(IFS=,; echo "${SECRETS[*]}") + ) + preserve=$(IFS=,; echo "${preserve_vars[*]}") - # ── Inject sensitive secrets runtime-only ───────────────── - ENV=staging; \ - PROJECT=aptivaai-dev; \ - SECRETS=( \ - JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD \ - STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET \ - STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR \ - STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR \ - DB_HOST DB_PORT DB_USER DB_PASSWORD \ - TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID \ - ); \ - for S in "${SECRETS[@]}"; do \ - export "$S"="$(gcloud secrets versions access latest \ - --secret="${S}_${ENV}" --project="$PROJECT")"; \ - done; \ - export FROM_SECRETS_MANAGER=true; \ + echo "🚀 Deploying with preserved env: $preserve" - # ── Compose with env preserved ──────────────────────────── - preserve=IMG_TAG,FROM_SECRETS_MANAGER,$(IFS=,; echo "${SECRETS[*]}"); \ - echo "🚀 docker compose up with envs: $preserve"; \ - sudo --preserve-env="$preserve" docker compose pull; \ - sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans; \ - echo "✅ Staging stack refreshed with tag $IMG_TAG"' - - secrets: - - STAGING_SSH_KEY - - STAGING_KNOWN_HOSTS + sudo --preserve-env="$preserve" \ + docker compose pull + sudo --preserve-env="$preserve" \ + docker compose up -d \ + --force-recreate \ + --remove-orphans when: - event: - - push + event: [push, manual] + branch: [master]