From f0d40e7b84f1c3a28f580b2026d374e8f169d97d Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Sat, 9 Aug 2025 14:18:44 +0000
Subject: [PATCH] added Dek copy step in pipeline dev->staging

---
 .woodpecker.yml | 64 +++++++++++++++++++------------------------------
 1 file changed, 25 insertions(+), 39 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 5f49710..fbba877 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,33 +1,3 @@
----
-kind: pipeline
-type: docker
-name: ssh-test
-
-steps:
-  - name: security-scan
-    image: google/cloud-sdk:latest
-    entrypoint:
-      - bash
-      - -c
-      - |
-        set -euo pipefail
-        IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)
-        REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
-
-        apt-get update -qq
-        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
-
-        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
-        export PATH="$PATH:$(pwd)/bin"
-
-        gcloud auth configure-docker us-central1-docker.pkg.dev -q
-
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
-        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG
-
-
   - name: staging-deploy
     image: google/cloud-sdk:latest
     entrypoint:
@@ -109,17 +79,33 @@ steps:
              DEK_PATH=$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project=$PROJECT); \
              export DEK_PATH; \
              export FROM_SECRETS_MANAGER=true; \
+             \
+             # ── NEW: sync dev DEK into staging volume (uses Secret Manager) ── \
+             if gcloud secrets describe WRAPPED_DEK_dev --project=$PROJECT >/dev/null 2>&1; then \
+               echo \"🔁 Syncing dev DEK into staging volume\"; \
+               gcloud secrets versions access latest --secret=WRAPPED_DEK_dev --project=$PROJECT > /tmp/dev_dek.enc; \
+               if [ -s /tmp/dev_dek.enc ]; then \
+                 docker volume ls -q | grep -qx aptiva_dek_staging || docker volume create aptiva_dek_staging >/dev/null; \
+                 sudo docker run --rm -v aptiva_dek_staging:/v -v /tmp:/host busybox sh -lc \" \
+                   set -e; \
+                   mkdir -p /v/staging; \
+                   cp -f /host/dev_dek.enc /v/staging/dek.enc; \
+                   chown 1000:1000 /v/staging/dek.enc; \
+                   chmod 400 /v/staging/dek.enc; \
+                   rm -f /v/staging/dek.fpr; \
+                   echo -n 'staging dek.enc bytes: '; wc -c </v/staging/dek.enc; \
+                   ls -l /v/staging; \
+                 \"; \
+               else \
+                 echo \"⚠️ WRAPPED_DEK_dev returned empty; skipping copy\"; \
+               fi; \
+             else \
+               echo \"ℹ️ WRAPPED_DEK_dev not found; leaving existing staging DEK alone\"; \
+             fi; \
+             \
              cd /home/jcoakley/aptiva-staging-app; \
              sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
                docker compose pull; \
              sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \
                docker compose up -d --force-recreate --remove-orphans; \
-             echo "✅ Staging stack refreshed with tag $IMG_TAG"'
-
-    secrets:
-      - STAGING_SSH_KEY
-      - STAGING_KNOWN_HOSTS
-
-when:
-  event:
-    - push
+             echo \"✅ Staging stack refreshed with tag $IMG_TAG\"'