pounce/ops/CI_CD.md

CI/CD (Gitea Actions) – Auto Deploy

Goal

Every push to main should:

• sync the repo to the production server
• build Docker images on the server
• restart containers
• run health checks

This repository uses a remote SSH deployment from Gitea Actions.

Required Gitea Actions Secrets

Configure these in Gitea: Repo → Settings → Actions → Secrets

Deployment (SSH)

• DEPLOY_HOST – production server IP/hostname
• DEPLOY_USER – SSH user (e.g. administrator)
• DEPLOY_PATH – absolute path where the repo is synced on the server (e.g. /home/administrator/pounce)
• DEPLOY_SSH_KEY – private key for SSH access
• DEPLOY_SUDO_PASSWORD – sudo password for DEPLOY_USER (used non-interactively)

App Secrets (Backend)

Used to generate /data/pounce/env/backend.env on the server.

• DATABASE_URL
• SECRET_KEY
• SMTP_PASSWORD
• STRIPE_SECRET_KEY
• STRIPE_WEBHOOK_SECRET
• GOOGLE_CLIENT_SECRET
• GH_OAUTH_SECRET
• CZDS_USERNAME
• CZDS_PASSWORD

Server Requirements

• sudo installed
• docker installed
• DEPLOY_USER must be able to run docker via sudo (pipeline uses sudo -S docker ...)

Notes

• Secrets are written to /data/pounce/env/backend.env on the server with restricted permissions.
• Frontend build args are supplied in the workflow (NEXT_PUBLIC_API_URL, BACKEND_URL).

Trigger

This file change triggers CI.