78 lines
3.7 KiB
YAML
78 lines
3.7 KiB
YAML
# .woodpecker.yml (only the relevant step shown)
|
||
steps:
|
||
- name: deploy-staging
|
||
image: google/cloud-sdk:latest
|
||
entrypoint:
|
||
- bash
|
||
- -euco
|
||
- |
|
||
#####################################################################
|
||
# 1) PARAMETERS #
|
||
#####################################################################
|
||
PROJECT=aptivaai-dev # GCP project that holds secrets
|
||
ENV=staging # <‑‑ change once, covers suffixes
|
||
HOST=10.128.0.12 # staging VM
|
||
SSH_USER=jcoakley
|
||
|
||
# One authoritative list of secret names (same as deploy_all.sh)
|
||
SECRETS=(
|
||
JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
|
||
STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET
|
||
STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR
|
||
STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
|
||
DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD
|
||
DB_SSL_CERT DB_SSL_KEY DB_SSL_CA
|
||
TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
|
||
KMS_KEY_NAME DEK_PATH # ← NEW
|
||
)
|
||
|
||
#####################################################################
|
||
# 2) SSH prerequisites #
|
||
#####################################################################
|
||
mkdir -p ~/.ssh
|
||
gcloud secrets versions access latest \
|
||
--secret=STAGING_KNOWN_HOSTS --project="$PROJECT" | base64 -d \
|
||
> ~/.ssh/known_hosts
|
||
chmod 644 ~/.ssh/known_hosts
|
||
|
||
gcloud secrets versions access latest \
|
||
--secret=STAGING_SSH_KEY --project="$PROJECT" | base64 -d \
|
||
> ~/.ssh/id_ed25519
|
||
chmod 600 ~/.ssh/id_ed25519
|
||
|
||
echo "🔑 SSH key & known‑hosts installed"
|
||
|
||
#####################################################################
|
||
# 3) Build the remote export block #
|
||
#####################################################################
|
||
export_block="PROJECT=${PROJECT}; ENV=${ENV}; "
|
||
export_block+="IMG_TAG=\$(gcloud secrets versions access latest \
|
||
--secret=IMG_TAG --project=\${PROJECT}); export IMG_TAG; "
|
||
|
||
for S in "${SECRETS[@]}"; do
|
||
export_block+="${S}=\$(gcloud secrets versions access latest \
|
||
--secret=${S}_${ENV} --project=\${PROJECT}); export ${S}; "
|
||
done
|
||
|
||
export_block+="export FROM_SECRETS_MANAGER=true; "
|
||
|
||
#####################################################################
|
||
# 4) Remote docker‑compose update #
|
||
#####################################################################
|
||
export_block+="cd /home/${SSH_USER}/aptiva-staging-app; "
|
||
# Include every exported var in --preserve-env
|
||
preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]})
|
||
export_block+="sudo --preserve-env=${preserve} docker compose pull; "
|
||
export_block+="sudo --preserve-env=${preserve} \
|
||
docker compose up -d --force-recreate --remove-orphans; "
|
||
export_block+="echo '✅ Staging stack refreshed with tag \$IMG_TAG';"
|
||
|
||
#####################################################################
|
||
# 5) Execute over SSH #
|
||
#####################################################################
|
||
ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 \
|
||
"${SSH_USER}@${HOST}" "${export_block}"
|
||
secrets:
|
||
- STAGING_SSH_KEY
|
||
- STAGING_KNOWN_HOSTS
|