dev1/.woodpecker.yml

---
kind: pipeline
type: docker
name: ssh-test

steps:
  - name: ssh-test
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -c
      - |
        set -euo pipefail

        mkdir -p ~/.ssh

        # ── Inject known-hosts and SSH key ───────────────────────────────
        gcloud secrets versions access latest \
          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev \
          | base64 -d > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        gcloud secrets versions access latest \
          --secret=STAGING_SSH_KEY --project=aptivaai-dev \
          | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        echo "🔑 SSH prerequisites installed"

        # ── SSH into staging and deploy ──────────────────────────────────
          ssh -o StrictHostKeyChecking=yes \
              -i ~/.ssh/id_ed25519 \
              jcoakley@10.128.0.12 \
          'set -euo pipefail
          PROJECT=aptivaai-dev
          ENV=staging                     # ← or “dev”, “prod”, etc.
          IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT)
          export IMG_TAG

          # pull every secret in the SECRETS array
          declare -a SECRETS=(
            JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
            STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET
            STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR
            STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
            DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD
            DB_SSL_CERT DB_SSL_KEY DB_SSL_CA
            TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
            KMS_KEY_NAME DEK_PATH
          )
          for S in "${SECRETS[@]}"; do
            # no quotes on the left‑hand side
            export ${S}="$(gcloud secrets versions access latest \
                              --secret="${S}_${ENV}" --project="$PROJECT")"
          done
          export FROM_SECRETS_MANAGER=true

          cd /home/jcoakley/aptiva-staging-app
          # build the --preserve-env list dynamically so new vars flow through
          preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]})
          sudo --preserve-env="$preserve" docker compose pull
          sudo --preserve-env="$preserve" docker compose up -d --force-recreate --remove-orphans

          echo "✅  Staging stack refreshed with tag $IMG_TAG"
          '        

    secrets:
      - STAGING_SSH_KEY
      - STAGING_KNOWN_HOSTS

when:
  event:
    - push