From fc5ffabdb379ea1c5b47f73688ac43ed186108a6 Mon Sep 17 00:00:00 2001
From: Josh <jcoakley@aptivaai.com>
Date: Thu, 31 Jul 2025 16:50:07 +0000
Subject: [PATCH] pipeline build v38.  revert back to no secrets

---
 .woodpecker.yml | 94 ++++++++++++++++++++++---------------------------
 1 file changed, 43 insertions(+), 51 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index 9090e01..63a2fd6 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -1,53 +1,45 @@
----
-kind: pipeline
-type: docker
-name: build-and-deploy
-
-workspace:
-  base: /woodpecker
-  path: src
-
-clone:
-  depth: 50
-
-volumes:
-  - name: docker-sock
-    host:
-      path: /var/run/docker.sock
-
 steps:
-  - name: build-and-push
-    image: docker:24.0-cli
-    privileged: true
-    volumes:
-      - name: docker-sock
-        path: /var/run/docker.sock
-    commands:
-      - set -eu
-      - REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo
-      - TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
-      - docker buildx create --use --name woodpecker || true
-      - for svc in server1 server2 server3 nginx; do docker buildx build -f Dockerfile.${svc} -t ${REG}/${svc}:${TAG} --push .; done
-    when:
-      event: [push, manual]
-      branch: [master]
+  ssh-deploy:
+    image: google/cloud-sdk:latest
+    entrypoint:
+      - bash
+      - -c
+      - |
+        set -euo pipefail
 
-  - name: deploy-staging
-    image: appleboy/drone-ssh
-    settings:
-      host: 10.128.0.12
-      port: 22
-      username: jcoakley
-      key:
-        from_secret: STAGING_SSH_KEY
-      known_hosts:
-        from_secret: STAGING_KNOWN_HOSTS
-    script:
-      - set -eu
-      - TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
-      - cd /opt/aptiva-staging-app
-      - IMG_TAG=$TAG docker compose pull
-      - IMG_TAG=$TAG docker compose up -d --force-recreate --remove-orphans
-    when:
-      event: [push, manual]
-      branch: [master]
+        mkdir -p ~/.ssh
+
+        # 1. Install SSH prerequisites ──────────────────────────────
+        gcloud secrets versions access latest \
+          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/known_hosts
+        chmod 644 ~/.ssh/known_hosts
+
+        gcloud secrets versions access latest \
+          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
+          | base64 -d > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+        echo "🔑  SSH prerequisites installed"
+
+        # 2. Fetch canonical IMG_TAG (trim newline) ─────────────────
+        IMG_TAG=$(gcloud secrets versions access latest \
+                  --secret=IMG_TAG --project=aptivaai-dev | tr -d '\n')
+        echo "📦  IMG_TAG=${IMG_TAG}"
+
+        # 3. SSH to staging and redeploy ────────────────────────────
+        ssh -o StrictHostKeyChecking=yes \
+            -i ~/.ssh/id_ed25519 \
+            jcoakley@10.128.0.12 \
+            "set -euo pipefail; \
+             export IMG_TAG=${IMG_TAG}; \
+             cd /home/jcoakley/aptiva-staging-app; \
+             echo 'Pulling containers for tag ${IMG_TAG}'; \
+             docker compose pull; \
+             echo 'Re‑creating services'; \
+             docker compose up -d --force-recreate --remove-orphans; \
+             echo '✅  Staging stack refreshed with tag ${IMG_TAG}'"
+
+secrets: [ STAGING_SSH_KEY, STAGING_KNOWN_HOSTS ]
+when:
+  event:
+    - push