# CI/CD (Gitea Actions) – Auto Deploy

## Goal
Every push to `main` should:
- sync the repo to the production server
- build Docker images on the server
- restart containers
- run health checks

This repository uses a **remote SSH deployment** from Gitea Actions.

## Required Gitea Actions Secrets
Configure these in Gitea: **Repo → Settings → Actions → Secrets**

### Deployment (SSH)
- `DEPLOY_HOST` – production server IP/hostname
- `DEPLOY_USER` – SSH user (e.g. `administrator`)
- `DEPLOY_PATH` – absolute path where the repo is synced on the server (e.g. `/home/administrator/pounce`)
- `DEPLOY_SSH_KEY` – private key for SSH access
- `DEPLOY_SUDO_PASSWORD` – sudo password for `DEPLOY_USER` (used non-interactively)

### App Secrets (Backend)
Used to generate `/data/pounce/env/backend.env` on the server.
- `DATABASE_URL`
- `SECRET_KEY`
- `SMTP_PASSWORD`
- `STRIPE_SECRET_KEY`
- `STRIPE_WEBHOOK_SECRET`
- `GOOGLE_CLIENT_SECRET`
- `GH_OAUTH_SECRET`
- `CZDS_USERNAME`
- `CZDS_PASSWORD`

## Server Requirements
- `sudo` installed
- `docker` installed
- `DEPLOY_USER` must be able to run docker via `sudo` (pipeline uses `sudo -S docker ...`)

## Notes
- Secrets are written to `/data/pounce/env/backend.env` on the server with restricted permissions.
- Frontend build args are supplied in the workflow (`NEXT_PUBLIC_API_URL`, `BACKEND_URL`).


## Trigger
This file change triggers CI.

- runner dns fix validation

- redeploy after runner fix

- runner re-register