jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IMG_TAG fixes...
Some checks failed
ci/woodpecker/manual/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-09-13 09:14:01 +00:00
parent a9a1914d5a
commit ed5a9e71d6
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.woodpecker.yml
View File

@ -129,20 +129,27 @@ steps:
echo "🔑 SSH prerequisites installed" echo "🔑 SSH prerequisites installed"
# ── SSH into PROD and deploy (NO DEK SYNC) ──────────────────────── # ── SSH into PROD and deploy (NO DEK SYNC) ────────────────────────
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"; export IMG_TAG; \
ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \ ssh -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
--project=aptivaai-prod --zone=us-central1-a \ --project=aptivaai-prod --zone=us-central1-a \
--listen-on-stdin --verbosity=error" \ --listen-on-stdin --verbosity=error" \
-o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \ -o StrictHostKeyChecking=accept-new -i ~/.ssh/id_ed25519 \
"$PROD_SSH_TARGET" bash -s -- "$IMG_TAG" \ "$PROD_SSH_TARGET" bash -s \
set -euo pipefail; \ set -euo pipefail; \
IMG_TAG="${1:?IMG_TAG arg missing}"; export IMG_TAG
PROJECT=aptivaai-prod; \ PROJECT=aptivaai-prod; \
export PROJECT; \ export PROJECT; \
ENV=prod; \ ENV=prod; \
# sanity: ensure prod SM matches the single source (dev) before pull
prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \ # dev tag injected from CI at script-generation time
[ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \ IMG_TAG_DEV="$IMG_TAG_DEV"
\ echo "🔖 Using DEV IMG_TAG=\$IMG_TAG_DEV"
# read prod tag on the VM and enforce parity
IMG_TAG_PROD="$(gcloud secrets versions access latest --secret=IMG_TAG --project="\$PROJECT")"
[ "\$IMG_TAG_PROD" = "\$IMG_TAG_DEV" ] || { echo "❌ Tag mismatch on VM: dev=\$IMG_TAG_DEV prod=\$IMG_TAG_PROD"; exit 1; }
IMG_TAG="\$IMG_TAG_DEV"; export IMG_TAG
echo "✅ Tag parity ok (\$IMG_TAG)"
# Pull all runtime secrets from aptivaai-prod # Pull all runtime secrets from aptivaai-prod
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \ JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \
OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \ OPENAI_API_KEY=$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project=$PROJECT); export OPENAI_API_KEY; \