--- kind: pipeline type: docker name: build-and-deploy workspace: base: /woodpecker path: src clone: depth: 50 volumes: - name: docker-sock host: path: /var/run/docker.sock steps: - name: build-and-push image: docker:24.0-cli privileged: true volumes: - name: docker-sock path: /var/run/docker.sock commands: - | set -eu REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo TAG=$(echo "$CI_COMMIT_SHA" | head -c 8) docker buildx create --use --name woodpecker || true for svc in server1 server2 server3 nginx; do docker buildx build \ -f Dockerfile.${svc} \ -t ${REG}/${svc}:${TAG} \ --push . done when: event: [push, manual] branch: [master] - name: deploy-staging image: appleboy/drone-ssh settings: host: 10.128.0.12 port: 22 username: jcoakley key: from_secret: STAGING_SSH_KEY known_hosts: from_secret: STAGING_KNOWN_HOSTS script: - | set -euo pipefail ENV=dev PROJECT=aptivaai-dev ROOT=/opt/aptiva-staging-app REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo TAG=$(echo "$CI_COMMIT_SHA" | head -c 8) cd "$ROOT" export IMG_TAG="$TAG" read -r -a SECRETS <<'EOF' JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR DB_HOST DB_PORT DB_USER DB_PASSWORD TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID EOF echo "🔐 Pulling secrets from Secret Manager" for S in "${SECRETS[@]}"; do export "$S"="$(gcloud secrets versions access latest \ --secret="${S}_${ENV}" \ --project="${PROJECT}")" done export FROM_SECRETS_MANAGER=true preserve_vars=( IMG_TAG FROM_SECRETS_MANAGER $(IFS=,; echo "${SECRETS[*]}") ) preserve=$(IFS=,; echo "${preserve_vars[*]}") echo "🚀 Deploying with preserved env: $preserve" sudo --preserve-env="$preserve" \ docker compose pull sudo --preserve-env="$preserve" \ docker compose up -d \ --force-recreate \ --remove-orphans when: event: [push, manual] branch: [master]