dev1/.woodpecker.yml

---
kind: pipeline
type: docker
name: ssh-test

steps:
  - name: security-scan
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -c
      - |
        set -euo pipefail
        IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)
        REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo

        apt-get update -qq
        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io

        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
        export PATH="$PATH:$(pwd)/bin"

        gcloud auth configure-docker us-central1-docker.pkg.dev -q

        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG
        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG
        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG
        trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG        


    - name: staging-deploy
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -c
      - |
        set -euo pipefail

        mkdir -p ~/.ssh

        # known_hosts + key
        gcloud secrets versions access latest \
          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
          | base64 -d > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        gcloud secrets versions access latest \
          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
          | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        # --- Run a real bash on the remote and feed it a literal script
        ssh -o StrictHostKeyChecking=yes \
            -i ~/.ssh/id_ed25519 \
            jcoakley@10.128.0.12 \
            bash -seuo pipefail <<'REMOTE'

        set -Eeuo pipefail

        PROJECT=aptivaai-dev
        ENV=staging
        REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo
        DEK_VOL=aptiva_dek_staging   # adjust if your staging volume has a different name

        # helper: fetch a secret value for this ENV
        get() { gcloud secrets versions access latest --secret="${1}_${ENV}" --project="${PROJECT}"; }

        # read the image tag (no suffix)
        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project="${PROJECT}")"
        export IMG_TAG FROM_SECRETS_MANAGER=true PROJECT ENV_NAME="${ENV}"

        # export all env the compose needs
        export JWT_SECRET="$(get JWT_SECRET)"
        export OPENAI_API_KEY="$(get OPENAI_API_KEY)"
        export ONET_USERNAME="$(get ONET_USERNAME)"
        export ONET_PASSWORD="$(get ONET_PASSWORD)"
        export STRIPE_SECRET_KEY="$(get STRIPE_SECRET_KEY)"
        export STRIPE_PUBLISHABLE_KEY="$(get STRIPE_PUBLISHABLE_KEY)"
        export STRIPE_WH_SECRET="$(get STRIPE_WH_SECRET)"
        export STRIPE_PRICE_PREMIUM_MONTH="$(get STRIPE_PRICE_PREMIUM_MONTH)"
        export STRIPE_PRICE_PREMIUM_YEAR="$(get STRIPE_PRICE_PREMIUM_YEAR)"
        export STRIPE_PRICE_PRO_MONTH="$(get STRIPE_PRICE_PRO_MONTH)"
        export STRIPE_PRICE_PRO_YEAR="$(get STRIPE_PRICE_PRO_YEAR)"
        export DB_NAME="$(get DB_NAME)"
        export DB_HOST="$(get DB_HOST)"
        export DB_PORT="$(get DB_PORT)"
        export DB_USER="$(get DB_USER)"
        export DB_PASSWORD="$(get DB_PASSWORD)"
        export DB_SSL_CA="$(get DB_SSL_CA)"
        export DB_SSL_CERT="$(get DB_SSL_CERT)"
        export DB_SSL_KEY="$(get DB_SSL_KEY)"
        export TWILIO_ACCOUNT_SID="$(get TWILIO_ACCOUNT_SID)"
        export TWILIO_AUTH_TOKEN="$(get TWILIO_AUTH_TOKEN)"
        export TWILIO_MESSAGING_SERVICE_SID="$(get TWILIO_MESSAGING_SERVICE_SID)"
        export KMS_KEY_NAME="$(get KMS_KEY_NAME)"
        export DEK_PATH="$(get DEK_PATH)"

        cd /home/jcoakley/aptiva-staging-app

        # Optional safety net: if WRAPPED_DEK_staging has no versions, escrow the current EDEK
        if ! gcloud secrets describe "WRAPPED_DEK_${ENV}" --project="${PROJECT}" >/dev/null 2>&1; then
          gcloud secrets create "WRAPPED_DEK_${ENV}" --replication-policy=automatic --project="${PROJECT}"
        fi
        if ! gcloud secrets versions list "WRAPPED_DEK_${ENV}" --project="${PROJECT}" --format='value(name)' | grep -q .; then
          # read dek.enc out of the staging volume and push to Secret Manager
          docker run --rm -v "${DEK_VOL}:/run/secrets" busybox \
            cat "${DEK_PATH}" \
          | gcloud secrets versions add "WRAPPED_DEK_${ENV}" --data-file=- --project="${PROJECT}"
          echo "Escrowed EDEK to Secret Manager as WRAPPED_DEK_${ENV}"
        fi

        # Pull & restart with all env preserved
        PRESERVE="IMG_TAG,FROM_SECRETS_MANAGER,ENV_NAME,PROJECT,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH"

        sudo --preserve-env="${PRESERVE}" docker compose pull
        sudo --preserve-env="${PRESERVE}" docker compose up -d --force-recreate --remove-orphans

        echo "✅ Staging stack refreshed with tag ${IMG_TAG}"
        REMOTE        



    secrets:
      - STAGING_SSH_KEY
      - STAGING_KNOWN_HOSTS

when:
  event:
    - push