yvg/pounce

Yves Gugger d170d6f729 ci: Auto-deploy on push via SSH

- Gitea Actions workflow now syncs repo to server, builds images, restarts containers, and runs health checks
- Removed all hardcoded secrets from scripts/deploy.sh
- Added CI/CD documentation and ignored .env.deploy

NOTE: Existing secrets previously committed must be rotated.

2025-12-21 15:23:04 +01:00

1.3 KiB

Raw Blame History

CI/CD (Gitea Actions) – Auto Deploy

Goal

Every push to main should:

sync the repo to the production server
build Docker images on the server
restart containers
run health checks

This repository uses a remote SSH deployment from Gitea Actions.

Required Gitea Actions Secrets

Configure these in Gitea: Repo → Settings → Actions → Secrets

Deployment (SSH)

DEPLOY_HOST – production server IP/hostname
DEPLOY_USER – SSH user (e.g. administrator)
DEPLOY_PATH – absolute path where the repo is synced on the server (e.g. /home/administrator/pounce)
DEPLOY_SSH_KEY – private key for SSH access
DEPLOY_SUDO_PASSWORD – sudo password for DEPLOY_USER (used non-interactively)

App Secrets (Backend)

Used to generate /data/pounce/env/backend.env on the server.

DATABASE_URL
SECRET_KEY
SMTP_PASSWORD
STRIPE_SECRET_KEY
STRIPE_WEBHOOK_SECRET
GOOGLE_CLIENT_SECRET
GH_OAUTH_SECRET
CZDS_USERNAME
CZDS_PASSWORD

Server Requirements

sudo installed
docker installed
DEPLOY_USER must be able to run docker via sudo (pipeline uses sudo -S docker ...)

Notes

Secrets are written to /data/pounce/env/backend.env on the server with restricted permissions.
Frontend build args are supplied in the workflow (NEXT_PUBLIC_API_URL, BACKEND_URL).

1.3 KiB Raw Blame History Unescape Escape