From 958e71d9bf4296efcc5d61ca0da0a91dc735b8f7 Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Fri, 15 May 2026 20:21:16 -0300
Subject: [PATCH] fix: scale service to 0 before secret rotation to avoid
 AlreadyExists error

Docker Swarm refuses to delete secrets in use by running services.
Scale nalu_app to 0 first, then rotate, then stack deploy re-creates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-nalu.yml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy-nalu.yml b/.gitea/workflows/deploy-nalu.yml
index 4893f39..67ab5ef 100644
--- a/.gitea/workflows/deploy-nalu.yml
+++ b/.gitea/workflows/deploy-nalu.yml
@@ -91,12 +91,8 @@ jobs:
         SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
-        echo "" >> ~/.ssh/id_rsa
+        echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
-        # debug key format (no content exposed)
-        head -1 ~/.ssh/id_rsa
-        wc -l ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
 
     - name: Build image on ARM server
@@ -205,8 +201,7 @@ jobs:
         SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
-        echo "" >> ~/.ssh/id_rsa
+        echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
 
@@ -216,6 +211,10 @@ jobs:
         ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF
           set -e
 
+          # ── Scale down so secrets can be rotated ─────────────────────────
+          docker service scale nalu_app=0 2>/dev/null || true
+          sleep 5
+
           # ── Create/update Docker secrets ─────────────────────────────────
           update_secret() {
             local name=\$1
@@ -267,8 +266,7 @@ jobs:
         SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       run: |
         mkdir -p ~/.ssh
-        printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | sed 's/\\n/\n/g' > ~/.ssh/id_rsa
-        echo "" >> ~/.ssh/id_rsa
+        echo "${SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_rsa
         chmod 600 ~/.ssh/id_rsa
         ssh-keyscan -H ${{ env.SWARM_MANAGER }} >> ~/.ssh/known_hosts 2>/dev/null
         ssh-keyscan -H ${{ env.SWARM_WORKER }}  >> ~/.ssh/known_hosts 2>/dev/null