From ed5a9e71d669d4b22de455751726f65f1b77f7ca Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Sat, 13 Sep 2025 09:14:01 +0000
Subject: [PATCH] IMG_TAG fixes...

---
 .woodpecker.yml | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index e0b78db..7f57a6d 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -129,20 +129,27 @@ steps:
         echo "🔑 SSH prerequisites installed"
 
         # ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
+        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"; export IMG_TAG; \
         ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
           --project=aptivaai-prod --zone=us-central1-a \
           --listen-on-stdin --verbosity=error" \
           -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \
-          "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG" \
+          "$PROD_SSH_TARGET" bash -s \
           set -euo pipefail; \
-            IMG_TAG="${1:?IMG_TAG arg missing}"; export IMG_TAG
             PROJECT=aptivaai-prod; \
             export PROJECT; \
             ENV=prod; \
-            # sanity: ensure prod SM matches the single source (dev) before pull
-            prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
-            [ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
-            \
+
+            # dev tag injected from CI at script-generation time
+            IMG_TAG_DEV="$IMG_TAG_DEV"
+            echo "🔖 Using DEV IMG_TAG=\$IMG_TAG_DEV"
+
+            # read prod tag on the VM and enforce parity
+            IMG_TAG_PROD="$(gcloud secrets versions access latest --secret=IMG_TAG --project="\$PROJECT")"
+            [ "\$IMG_TAG_PROD" = "\$IMG_TAG_DEV" ] || { echo "❌ Tag mismatch on VM: dev=\$IMG_TAG_DEV prod=\$IMG_TAG_PROD"; exit 1; }
+            IMG_TAG="\$IMG_TAG_DEV"; export IMG_TAG
+            echo "✅ Tag parity ok (\$IMG_TAG)"
+
             # Pull all runtime secrets from aptivaai-prod
             JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
             OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \