From b0b1930b7e579f85e596d5bd100b01494b69c6cf Mon Sep 17 00:00:00 2001 From: Yves Gugger Date: Sat, 20 Dec 2025 19:55:33 +0100 Subject: [PATCH] Security: Move secrets to Gitea Actions secrets - All sensitive credentials now use ${{ secrets.* }} syntax - Removed hardcoded API keys, passwords, and tokens - Repository is now private --- .gitea/workflows/deploy.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index e16f054..54b2b22 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -20,12 +20,8 @@ jobs: - name: Sync code to deploy directory run: | - # Ensure deploy directory exists mkdir -p ${{ env.REPO_PATH }} - - # Sync code (rsync-like behavior with cp) cp -r . ${{ env.REPO_PATH }}/ - echo "Code synced to ${{ env.REPO_PATH }}" - name: Build Backend Docker Image @@ -46,20 +42,28 @@ jobs: echo "✅ Frontend image built successfully" - name: Deploy Backend + env: + DATABASE_URL: ${{ secrets.DATABASE_URL }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} + STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }} + STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }} + GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }} + GITHUB_CLIENT_SECRET: ${{ secrets.GITHUB_CLIENT_SECRET }} run: | # Stop existing container docker stop pounce-backend 2>/dev/null || true docker rm pounce-backend 2>/dev/null || true - # Run new container + # Run new container with secrets from environment docker run -d \ --name pounce-backend \ --network n0488s44osgoow4wgo04ogg0 \ --restart unless-stopped \ - -e DATABASE_URL="postgresql+asyncpg://pounce:PounceDB2024!@supabase-db-n0488s44osgoow4wgo04ogg0:5432/pounce" \ - -e SECRET_KEY="62003b69b382cd55f32aba6301a81039e74a84914505d1bfbf254a97a5ccfb36" \ - -e JWT_SECRET="62003b69b382cd55f32aba6301a81039e74a84914505d1bfbf254a97a5ccfb36" \ - -e CORS_ORIGINS="https://pounce.ch,https://www.pounce.ch,http://pounce.185-142-213-170.sslip.io" \ + -e DATABASE_URL="${DATABASE_URL}" \ + -e SECRET_KEY="${SECRET_KEY}" \ + -e JWT_SECRET="${SECRET_KEY}" \ + -e CORS_ORIGINS="https://pounce.ch,https://www.pounce.ch" \ -e COOKIE_SECURE="true" \ -e SITE_URL="https://pounce.ch" \ -e FRONTEND_URL="https://pounce.ch" \ @@ -68,21 +72,21 @@ jobs: -e SMTP_HOST="smtp.zoho.eu" \ -e SMTP_PORT="465" \ -e SMTP_USER="hello@pounce.ch" \ - -e SMTP_PASSWORD="CmeR6tk9EaJb" \ + -e SMTP_PASSWORD="${SMTP_PASSWORD}" \ -e SMTP_FROM_EMAIL="hello@pounce.ch" \ -e SMTP_FROM_NAME="pounce" \ -e SMTP_USE_TLS="false" \ -e SMTP_USE_SSL="true" \ - -e STRIPE_SECRET_KEY="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" \ + -e STRIPE_SECRET_KEY="${STRIPE_SECRET_KEY}" \ -e STRIPE_PUBLISHABLE_KEY="pk_live_51ScLbjCtFUamNRpNeFugrlTIYhszbo8GovSGiMnPwHpZX9p3SGtgG8iRHYRIlAtg9M9sl3mvT5r8pwXP3mOsPALG00Wk3j0wH4" \ -e STRIPE_PRICE_TRADER="price_1ScRlzCtFUamNRpNQdMpMzxV" \ -e STRIPE_PRICE_TYCOON="price_1SdwhSCtFUamNRpNEXTSuGUc" \ - -e STRIPE_WEBHOOK_SECRET="whsec_zr1uTZnA7Zylquo0AVNs2g4SHGOFrJRx" \ + -e STRIPE_WEBHOOK_SECRET="${STRIPE_WEBHOOK_SECRET}" \ -e GOOGLE_CLIENT_ID="865146315769-vi7vcu91d3i7huv8ikjun52jo9ob7spk.apps.googleusercontent.com" \ - -e GOOGLE_CLIENT_SECRET="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" \ + -e GOOGLE_CLIENT_SECRET="${GOOGLE_CLIENT_SECRET}" \ -e GOOGLE_REDIRECT_URI="https://pounce.ch/api/v1/oauth/google/callback" \ -e GITHUB_CLIENT_ID="Ov23liBjROk39vYXi3G5" \ - -e GITHUB_CLIENT_SECRET="7239bfc61f2f29386655f405524292eabeb76fd2" \ + -e GITHUB_CLIENT_SECRET="${GITHUB_CLIENT_SECRET}" \ -e GITHUB_REDIRECT_URI="https://pounce.ch/api/v1/oauth/github/callback" \ -l "traefik.enable=true" \ -l "traefik.http.routers.pounce-api.rule=Host(\`api.pounce.ch\`)" \ @@ -138,12 +142,8 @@ jobs: - name: Cleanup run: | - # Remove old images docker image prune -f - - # Remove old unused containers docker container prune -f - echo "✅ Cleanup complete" - name: Deployment Summary