pipeline build v26 - TAG in GCP

.env

@@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
 SERVER1_PORT=5000
 SERVER2_PORT=5001
 SERVER3_PORT=5002
-IMG_TAG=202507301457
+IMG_TAG=202507311547

.woodpecker.yml

@@ -1,5 +1,4 @@
-steps:
-  ssh-test:
+- name: ssh-test
   image: google/cloud-sdk:latest
   entrypoint:
     - bash
@@ -9,7 +8,7 @@ steps:
 
       mkdir -p ~/.ssh
 
-        # ── Inject known-hosts and SSH key ──────────────────────────────
+      # ── Inject known-hosts and SSH key ───────────────────────────────
       gcloud secrets versions access latest \
         --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
         | base64 -d > ~/.ssh/known_hosts
@@ -22,31 +21,23 @@ steps:
 
       echo "🔑 SSH prerequisites installed"
 
-        # ── Grab full commit SHA and slice tag ──────────────────────────
-        echo "📦 CI_COMMIT_SHA: ${CI_COMMIT_SHA:-unset}"
-        TAG="${CI_COMMIT_SHA:-}"
-        if [ -z "$TAG" ]; then
-          echo "❌ CI_COMMIT_SHA is blank. Aborting."
-          exit 1
-        fi
-        TAG=$(echo "$TAG" | head -c 8)
-        echo "🚀 Deploying tag ${TAG} to staging"
+      # ── Fetch canonical IMG_TAG ──────────────────────────────────────
+      IMG_TAG=$(gcloud secrets versions access latest \
+        --secret=IMG_TAG --project=aptivaai-dev)
+      echo "📦 IMG_TAG=${IMG_TAG}"
 
-        # ── SSH into staging and refresh the stack ──────────────────────
+      # ── SSH into staging and deploy ──────────────────────────────────
       ssh -o StrictHostKeyChecking=yes \
           -i ~/.ssh/id_ed25519 \
           jcoakley@10.128.0.12 \
-            "export IMG_TAG=${TAG}; \
+          "export IMG_TAG=${IMG_TAG}; \
            cd /home/jcoakley/aptiva-staging-app; \
            echo 'IMG_TAG = ${IMG_TAG}'; \
-             echo '→ Pulling containers'; \
            docker compose pull; \
-             echo '→ Recreating services'; \
            docker compose up -d --force-recreate --remove-orphans; \
            echo '✅ Staging stack refreshed with tag ${IMG_TAG}'"
 
-environment:
-  CI_COMMIT_SHA: ${CI_COMMIT_SHA}
+secrets: [ STAGING_SSH_KEY, STAGING_KNOWN_HOSTS ]
 
 when:
   event:

deploy_all.sh

@@ -2,14 +2,14 @@
 set -euo pipefail
 
 # ─────────────────────────────────────────────────────────────
-# CONFIG – adjust only the 4 lines below if you change projects
+# CONFIG – adjust only these 4 if needed
 # ─────────────────────────────────────────────────────────────
-ENV=dev                       # secret suffix, e.g.  JWT_SECRET_staging
+ENV=dev
 PROJECT=aptivaai-dev
 ROOT=/home/jcoakley/aptiva-dev1-app
 REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
 
-ENV_FILE="${ROOT}/.env"           # ← holds NON‑sensitive values only
+ENV_FILE="${ROOT}/.env"
 SECRETS=(
   JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
   STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
@@ -19,11 +19,11 @@ SECRETS=(
 
 cd "$ROOT"
 echo "🛠  Building front‑end bundle"
-npm ci --silent        # installs if node_modules is missing/old
+npm ci --silent
 npm run build
 
 # ─────────────────────────────────────────────────────────────
-# 1. Build  ➔  Push  ➔  Bump IMG_TAG in .env
+# 1. Build → Push → Stamp .env
 # ─────────────────────────────────────────────────────────────
 TAG=$(date -u +%Y%m%d%H%M)
 echo "🔨  Building & pushing containers (tag = ${TAG})"
@@ -33,7 +33,6 @@ for svc in server1 server2 server3; do
   docker push  "${REG}/${svc}:${TAG}"
 done
 
-# keep .env for static, non‑sensitive keys (ports, API_BASE…)
 if grep -q '^IMG_TAG=' "$ENV_FILE"; then
   sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE"
 else
@@ -42,27 +41,30 @@ fi
 echo "✅  .env updated with IMG_TAG=${TAG}"
 
 # ─────────────────────────────────────────────────────────────
-# 2. Export secrets straight from Secret Manager
-#    (they live only in this shell, never on disk)
+# 1a. Publish IMG_TAG to Secret Manager (single source of truth)
 # ─────────────────────────────────────────────────────────────
-echo "🔐  Pulling ${ENV} secrets from Secret Manager"
+printf "%s" "${TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="$PROJECT"
+
+echo "📦  IMG_TAG pushed to Secret Manager (no suffix)"
+
+# ─────────────────────────────────────────────────────────────
+# 2. Pull secrets into runtime (never written to disk)
+# ─────────────────────────────────────────────────────────────
+echo "🔐  Pulling secrets from Secret Manager"
 for S in "${SECRETS[@]}"; do
   export "$S"="$(gcloud secrets versions access latest \
                    --secret="${S}_${ENV}" \
                    --project="$PROJECT")"
 done
 
-# A flag so we can see in the container env where they came from
 export FROM_SECRETS_MANAGER=true
 
 # ─────────────────────────────────────────────────────────────
-# 3. Re‑create the stack
+# 3. Re-create the container stack
 # ─────────────────────────────────────────────────────────────
-# Preserve only the variables docker‑compose needs for expansion
 preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")
 
-
-echo "🚀  docker compose up -d (with preserved env: $preserve)"
+echo "🚀  docker compose up -d (env: $preserve)"
 sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN
 
 \[0000\]