Yves Gugger
d170d6f729
- Gitea Actions workflow now syncs repo to server, builds images, restarts containers, and runs health checks - Removed all hardcoded secrets from scripts/deploy.sh - Added CI/CD documentation and ignored .env.deploy NOTE: Existing secrets previously committed must be rotated.
43 lines
1.3 KiB
Markdown
43 lines
1.3 KiB
Markdown
# CI/CD (Gitea Actions) – Auto Deploy
|
||
|
||
## Goal
|
||
Every push to `main` should:
|
||
- sync the repo to the production server
|
||
- build Docker images on the server
|
||
- restart containers
|
||
- run health checks
|
||
|
||
This repository uses a **remote SSH deployment** from Gitea Actions.
|
||
|
||
## Required Gitea Actions Secrets
|
||
Configure these in Gitea: **Repo → Settings → Actions → Secrets**
|
||
|
||
### Deployment (SSH)
|
||
- `DEPLOY_HOST` – production server IP/hostname
|
||
- `DEPLOY_USER` – SSH user (e.g. `administrator`)
|
||
- `DEPLOY_PATH` – absolute path where the repo is synced on the server (e.g. `/home/administrator/pounce`)
|
||
- `DEPLOY_SSH_KEY` – private key for SSH access
|
||
- `DEPLOY_SUDO_PASSWORD` – sudo password for `DEPLOY_USER` (used non-interactively)
|
||
|
||
### App Secrets (Backend)
|
||
Used to generate `/data/pounce/env/backend.env` on the server.
|
||
- `DATABASE_URL`
|
||
- `SECRET_KEY`
|
||
- `SMTP_PASSWORD`
|
||
- `STRIPE_SECRET_KEY`
|
||
- `STRIPE_WEBHOOK_SECRET`
|
||
- `GOOGLE_CLIENT_SECRET`
|
||
- `GH_OAUTH_SECRET`
|
||
- `CZDS_USERNAME`
|
||
- `CZDS_PASSWORD`
|
||
|
||
## Server Requirements
|
||
- `sudo` installed
|
||
- `docker` installed
|
||
- `DEPLOY_USER` must be able to run docker via `sudo` (pipeline uses `sudo -S docker ...`)
|
||
|
||
## Notes
|
||
- Secrets are written to `/data/pounce/env/backend.env` on the server with restricted permissions.
|
||
- Frontend build args are supplied in the workflow (`NEXT_PUBLIC_API_URL`, `BACKEND_URL`).
|
||
|