From d5848a6494c4c4465ef553e9d0b8be36c9dbacb0 Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Fri, 12 Sep 2025 15:38:11 +0000
Subject: [PATCH] variable name fixes

---
 .woodpecker.yml | 75 ++++++++++++++++++++++---------------------------
 1 file changed, 33 insertions(+), 42 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index f940c88..dd740e1 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -6,86 +6,76 @@ name: prod-promotion
 steps:
   - name: promote-tag-and-mirror
     image: google/cloud-sdk:latest
-    entrypoint:
-      - bash
-      - -c
+    entrypoint: [bash, -c]
+    commands:
       - |
         set -euo pipefail
-        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
 
         # Dev is the single source of truth for IMG_TAG
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
         SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
         DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
-        # Hard guards so we fail *before* skopeo if anything is empty
         [ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
-        [ -n "$SRC" ]     || { echo "❌ SRC is empty"; exit 2; }
-        [ -n "$DST" ]     || { echo "❌ DST is empty"; exit 2; }
 
-         apt-get update -qq
-         apt-get install -y -qq skopeo
-         TOKEN="$(gcloud auth print-access-token)"
-         for s in server1 server2 server3 nginx; do
+        apt-get update -qq
+        apt-get install -y -qq skopeo
+        TOKEN="$(gcloud auth print-access-token)"
+
+        for s in server1 server2 server3 nginx; do
+          SRC_REF="docker://$SRC/$s:$IMG_TAG"
+          DST_REF="docker://$DST/$s:$IMG_TAG"
+          echo "🔁 copy  $SRC_REF  →  $DST_REF"
           skopeo copy --insecure-policy \
-            --src-creds  "oauth2accesstoken:${TOKEN}" \
-            --dest-creds "oauth2accesstoken:${TOKEN}" \
-            "docker://${SRC}/${s}:${IMG_TAG}" \
-            "docker://${DST}/${s}:${IMG_TAG}"
-         done
-
-        for svc in server1 server2 server3 nginx; do
-          docker pull "$SRC/$svc:$IMG_TAG"
-          docker tag  "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
-          docker push "$DST/$svc:$IMG_TAG"
+            --src-creds  "oauth2accesstoken:$TOKEN" \
+            --dest-creds "oauth2accesstoken:$TOKEN" \
+            "$SRC_REF" "$DST_REF"
         done
 
-        # Publish the exact tag to prod SM so deploy & scan read the same value
-        printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
-        echo "🏷  Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
+        printf "%s" "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
+        echo "🏷  Promoted IMG_TAG=$IMG_TAG → aptivaai-prod"
+
 
   - name: verify-sync
     depends_on: [promote-tag-and-mirror]
     image: google/cloud-sdk:latest
-    entrypoint:
-      - bash
-      - -c
+    entrypoint: [bash, -c]
+    commands:
       - |
         set -euo pipefail
-        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
+
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
-        prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
-        [[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
+        PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
+        [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; }
         echo "✅ Tag parity confirmed: $IMG_TAG"
-        # Ensure images truly exist in PROD AR
+
         DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
         apt-get update -qq && apt-get install -y -qq skopeo
         TOKEN="$(gcloud auth print-access-token)"
         for s in server1 server2 server3 nginx; do
-          REF="docker://${DST}/${s}:${IMG_TAG}"
-          echo "🔎 verify ${REF}"
-          skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null
+          REF="docker://$DST/$s:$IMG_TAG"
+          echo "🔎 verify $REF"
+          skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null
         done
         echo "✅ Prod AR has all images at :$IMG_TAG"
 
+
   - name: security-scan
     depends_on: [verify-sync]
     image: google/cloud-sdk:latest
-    entrypoint:
-      - bash
-      - -c
+    entrypoint: [bash, -c]
+    commands:
       - |
         set -euo pipefail
-        # Guard so this file doesn't run unless you explicitly set PROMOTE=prod in the UI
-        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; }
+        if [ "x$PROMOTE" != "xprod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
 
-        # Scan the images that WILL be deployed: pull IMG_TAG from PROD
         IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
         REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
 
         apt-get update -qq
-         apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
-
+        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
         export PATH="$PATH:$(pwd)/bin"
 
@@ -97,6 +87,7 @@ steps:
             --scanners vuln --ignore-unfixed --ignorefile .trivyignore \
             --exit-code 1 --severity CRITICAL "$REF"
         done
+
         
   - name: prod-deploy
     depends_on: [security-scan]