From 512300f4751898d8ca29ecd10a949b4115eba789 Mon Sep 17 00:00:00 2001 From: Brendan Chen Date: Sun, 10 May 2026 03:51:40 -0700 Subject: [PATCH] chore: align deploy workflow with inventory canonical Brings nanodrop into parity with ~/inventory/.github/workflows/deploy.yml, the cross-project canonical: - Rename .github/workflows/deploy-homelab.yml -> deploy.yml - Update workflow name to "Deploy to birb co. production" - Add validate-secrets gate (SSH_PRIVATE_KEY, JWT_SECRET) using ${VAR:?msg} no-op expansion (does not echo secret values) - Switch deploy heredoc from << 'EOF' (quoted) to << EOF (unquoted) to match canonical; functional no-op since the body contains no bash $VAR refs, only GitHub Actions ${{ ... }} interpolations - Single-quote the right-hand side of interpolated export values to prevent shell-metacharacter re-interpretation server-side - Reorder exports: secret first, then hardcoded literals, then vars - Rename docker-compose.yml -> compose.yaml (pure rename) and update the workflow's compose invocations to reference compose.yaml - Update one README example to match the new compose filename The env-var block remains nanodrop-specific (JWT_SECRET + TRUST_PROXY/COOKIE_SECURE literals + PORT/BASE_URL/MAX_FILE_SIZE); that delta is allowed by the bug spec. No app-code changes. Build and tests green. Manual deploy verification (push to main / "Run workflow" -> hit the deployed instance, log in, upload a test file, confirm share link) is the user's job post-merge. --- .../{deploy-homelab.yml => deploy.yml} | 26 ++++++++++++------- README.md | 2 +- docker-compose.yml => compose.yaml | 0 3 files changed, 18 insertions(+), 10 deletions(-) rename .github/workflows/{deploy-homelab.yml => deploy.yml} (61%) rename docker-compose.yml => compose.yaml (100%) diff --git a/.github/workflows/deploy-homelab.yml b/.github/workflows/deploy.yml similarity index 61% rename from .github/workflows/deploy-homelab.yml rename to .github/workflows/deploy.yml index ee1fd22..62e7eab 100644 --- a/.github/workflows/deploy-homelab.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: "Deploy to Homelab" +name: "Deploy to birb co. production" on: push: @@ -14,6 +14,15 @@ jobs: - name: Check out repository uses: actions/checkout@v3 + - name: Validate required secrets + run: | + set -euo pipefail + : "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY secret must be set}" + : "${JWT_SECRET:?JWT_SECRET secret must be set}" + env: + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + JWT_SECRET: ${{ secrets.JWT_SECRET }} + - name: Set up SSH key run: | mkdir -p ~/.ssh @@ -34,15 +43,14 @@ jobs: - name: Deploy on server with Docker run: | - ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << 'EOF' + ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << EOF cd ~/${{ vars.DIRECTORY_NAME }} + export JWT_SECRET='${{ secrets.JWT_SECRET }}' export TRUST_PROXY=true export COOKIE_SECURE=true - export JWT_SECRET=${{ secrets.JWT_SECRET }} - export PORT=${{ vars.PORT }} - export BASE_URL=${{ vars.BASE_URL }} - export MAX_FILE_SIZE=${{ vars.MAX_FILE_SIZE }} - docker compose -f docker-compose.yml down - docker compose -f docker-compose.yml up -d --build + export PORT='${{ vars.PORT }}' + export BASE_URL='${{ vars.BASE_URL }}' + export MAX_FILE_SIZE='${{ vars.MAX_FILE_SIZE }}' + docker compose -f compose.yaml down + docker compose -f compose.yaml up -d --build EOF - diff --git a/README.md b/README.md index 85bb986..c77d138 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,7 @@ bantime = 600 Adjust `logpath` to wherever your `LOG_FILE` is. With Docker, the log file lives inside the `nanodrop-data` volume — mount it to a host path or bind-mount a host directory instead of the named volume to make it accessible to fail2ban: ```yaml -# docker-compose.yml override +# compose.yaml override volumes: - /var/lib/nanodrop:/app/data ``` diff --git a/docker-compose.yml b/compose.yaml similarity index 100% rename from docker-compose.yml rename to compose.yaml