From ed7ce902a7ec2eb4cfbf85b9aac869afede92645 Mon Sep 17 00:00:00 2001 From: Josh Date: Thu, 31 Jul 2025 15:56:52 +0000 Subject: [PATCH] pipeline build v26 - TAG in GCP --- .env | 2 +- .woodpecker.yml | 9 ++++----- deploy_all.sh | 32 +++++++++++++------------------- 3 files changed, 18 insertions(+), 25 deletions(-) diff --git a/.env b/.env index ab077a4..7e836b3 100644 --- a/.env +++ b/.env @@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http:// SERVER1_PORT=5000 SERVER2_PORT=5001 SERVER3_PORT=5002 -IMG_TAG=202507301457 \ No newline at end of file +IMG_TAG=202507311547 \ No newline at end of file diff --git a/.woodpecker.yml b/.woodpecker.yml index 3c4c437..9cc5002 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -21,25 +21,24 @@ echo "πŸ”‘ SSH prerequisites installed" - # ── Fetch IMG_TAG from canonical source ─────────────────────────── + # ── Fetch canonical IMG_TAG ────────────────────────────────────── IMG_TAG=$(gcloud secrets versions access latest \ --secret=IMG_TAG --project=aptivaai-dev) echo "πŸ“¦ IMG_TAG=${IMG_TAG}" - # ── SSH into staging and refresh the stack ─────────────────────── + # ── SSH into staging and deploy ────────────────────────────────── ssh -o StrictHostKeyChecking=yes \ -i ~/.ssh/id_ed25519 \ jcoakley@10.128.0.12 \ "export IMG_TAG=${IMG_TAG}; \ cd /home/jcoakley/aptiva-staging-app; \ echo 'IMG_TAG = ${IMG_TAG}'; \ - echo 'β†’ Pulling containers'; \ docker compose pull; \ - echo 'β†’ Recreating services'; \ docker compose up -d --force-recreate --remove-orphans; \ echo 'βœ… Staging stack refreshed with tag ${IMG_TAG}'" -secrets: [ gcp-creds ] +secrets: [ STAGING_SSH_KEY, STAGING_KNOWN_HOSTS ] + when: event: - push diff --git a/deploy_all.sh b/deploy_all.sh index 37a0d78..6bc5f80 100755 --- a/deploy_all.sh +++ b/deploy_all.sh @@ -2,14 +2,14 @@ set -euo pipefail # ───────────────────────────────────────────────────────────── -# CONFIG – adjust only the 4 lines below if you change projects +# CONFIG – adjust only these 4 if needed # ───────────────────────────────────────────────────────────── -ENV=dev # secret suffix, e.g. JWT_SECRET_staging +ENV=dev PROJECT=aptivaai-dev ROOT=/home/jcoakley/aptiva-dev1-app REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo -ENV_FILE="${ROOT}/.env" # ← holds NON‑sensitive values only +ENV_FILE="${ROOT}/.env" SECRETS=( JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR @@ -19,21 +19,20 @@ SECRETS=( cd "$ROOT" echo "πŸ›  Building front‑end bundle" -npm ci --silent # installs if node_modules is missing/old +npm ci --silent npm run build # ───────────────────────────────────────────────────────────── -# 1. Build βž” Push βž” Bump IMG_TAG in .env +# 1. Build β†’ Push β†’ Stamp .env # ───────────────────────────────────────────────────────────── TAG=$(date -u +%Y%m%d%H%M) -echo "πŸ”¨ Building & pushing containers (tag = ${TAG})" +echo "πŸ”¨ Building & pushing containers (tag = ${TAG})" for svc in server1 server2 server3; do docker build -f Dockerfile."$svc" -t "${REG}/${svc}:${TAG}" . docker push "${REG}/${svc}:${TAG}" done -# keep .env for static, non‑sensitive keys (ports, API_BASE…) if grep -q '^IMG_TAG=' "$ENV_FILE"; then sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE" else @@ -42,35 +41,30 @@ fi echo "βœ… .env updated with IMG_TAG=${TAG}" # ───────────────────────────────────────────────────────────── -# 1a. Publish IMG_TAG to GCP Secret Manager (canonical source) +# 1a. Publish IMG_TAG to Secret Manager (single source of truth) # ───────────────────────────────────────────────────────────── -echo "${TAG}" | gcloud secrets versions add IMG_TAG_DEV1 \ - --data-file=- \ - --project="$PROJECT" +printf "%s" "${TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="$PROJECT" -echo "πŸ“¦ IMG_TAG pushed to Secret Manager as IMG_TAG_DEV1" +echo "πŸ“¦ IMG_TAG pushed to Secret Manager (no suffix)" # ───────────────────────────────────────────────────────────── -# 2. Export secrets straight from Secret Manager -# (they live only in this shell, never on disk) +# 2. Pull secrets into runtime (never written to disk) # ───────────────────────────────────────────────────────────── -echo "πŸ” Pulling ${ENV} secrets from Secret Manager" +echo "πŸ” Pulling secrets from Secret Manager" for S in "${SECRETS[@]}"; do export "$S"="$(gcloud secrets versions access latest \ --secret="${S}_${ENV}" \ --project="$PROJECT")" done -# A flag so we can see in the container env where they came from export FROM_SECRETS_MANAGER=true # ───────────────────────────────────────────────────────────── -# 3. Re‑create the stack +# 3. Re-create the container stack # ───────────────────────────────────────────────────────────── -# Preserve only the variables docker‑compose needs for expansion preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}") -echo "πŸš€ docker compose up -d (with preserved env: $preserve)" +echo "πŸš€ docker compose up -d (env: $preserve)" sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN \[0000\]