--- kind: pipeline type: docker name: ssh-test steps: - name: ssh-test image: google/cloud-sdk:latest entrypoint: - bash - -c - | set -euo pipefail mkdir -p ~/.ssh # ── Inject known-hosts and SSH key ─────────────────────────────── gcloud secrets versions access latest \ --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \ | base64 -d > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts gcloud secrets versions access latest \ --secret=STAGING_SSH_KEY --project=aptivaai-dev \ | base64 -d > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "🔑 SSH prerequisites installed" # ── SSH into staging and deploy ────────────────────────────────── ssh -o StrictHostKeyChecking=yes \ -i ~/.ssh/id_ed25519 \ jcoakley@10.128.0.12 \ 'set -euo pipefail PROJECT=aptivaai-dev ENV=staging # ← or “dev”, “prod”, etc. IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT) export IMG_TAG # pull every secret in the SECRETS array declare -a SECRETS=( JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD DB_SSL_CERT DB_SSL_KEY DB_SSL_CA TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID KMS_KEY_NAME DEK_PATH ) for S in "${SECRETS[@]}"; do # no quotes on the left‑hand side export ${S}="$(gcloud secrets versions access latest \ --secret="${S}_${ENV}" --project="$PROJECT")" done export FROM_SECRETS_MANAGER=true cd /home/jcoakley/aptiva-staging-app # build the --preserve-env list dynamically so new vars flow through preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]}) sudo --preserve-env="$preserve" docker compose pull sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans echo "✅ Staging stack refreshed with tag $IMG_TAG" ' secrets: - STAGING_SSH_KEY - STAGING_KNOWN_HOSTS when: event: - push