diff --git a/.gitea/workflows/deploy-nalu.yml b/.gitea/workflows/deploy-nalu.yml index 4893f39..67ab5ef 100644 --- a/.gitea/workflows/deploy-nalu.yml +++ b/.gitea/workflows/deploy-nalu.yml @@ -91,12 +91,8 @@ jobs: SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} run: | mkdir -p ~/.ssh - printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa - # debug key format (no content exposed) - head -1 ~/.ssh/id_rsa - wc -l ~/.ssh/id_rsa ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null - name: Build image on ARM server @@ -205,8 +201,7 @@ jobs: SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} run: | mkdir -p ~/.ssh - printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null @@ -216,6 +211,10 @@ jobs: ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF set -e + # ── Scale down so secrets can be rotated ───────────────────────── + docker service scale nalu_app=0 2>/dev/null || true + sleep 5 + # ── Create/update Docker secrets ───────────────────────────────── update_secret() { local name=\$1 @@ -267,8 +266,7 @@ jobs: SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} run: | mkdir -p ~/.ssh - printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa - echo "" >> ~/.ssh/id_rsa + echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null ssh-keyscan -H ${{ env.SWARM_WORKER }} >> ~/.ssh/known_hosts 2>/dev/null