From 971c390ea352e718d136b820ab5f880077ad1b29 Mon Sep 17 00:00:00 2001
From: Ricardo Carneiro <ricardoroberto@outlook.com>
Date: Fri, 15 May 2026 21:43:12 -0300
Subject: [PATCH] fix: remove stack before secret rotation (scale=0 doesn't
 free secret refs)

docker stack rm nalu releases all secret references.
Wait for services to terminate before recreating secrets.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-nalu.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/deploy-nalu.yml b/.gitea/workflows/deploy-nalu.yml
index 67ab5ef..ee0c35e 100644
--- a/.gitea/workflows/deploy-nalu.yml
+++ b/.gitea/workflows/deploy-nalu.yml
@@ -211,9 +211,11 @@ jobs:
         ssh -o StrictHostKeyChecking=no ubuntu@${{ env.SWARM_MANAGER }} << SSHEOF
           set -e
 
-          # ── Scale down so secrets can be rotated ─────────────────────────
-          docker service scale nalu_app=0 2>/dev/null || true
-          sleep 5
+          # ── Remove stack so secrets can be rotated ───────────────────────
+          docker stack rm nalu 2>/dev/null || true
+          # wait until all nalu services are gone
+          timeout 60 bash -c 'until ! docker service ls 2>/dev/null | grep -q nalu_; do sleep 2; done' || true
+          sleep 3
 
           # ── Create/update Docker secrets ─────────────────────────────────
           update_secret() {