chore: align nanodrop deploy workflow with inventory canonical #5

brendan · 2026-05-10T10:56:32Z

brendan commented

2026-05-10 10:56:32 +00:00

Closes the last open bullet of the cross-project deploy-alignment chore in ~/bugs.md. authd (PR #10), movement (PR #14), and buchinese (direct user commits to main) are already aligned. nanodrop is the final project.

What changed

.github/workflows/deploy-homelab.yml → .github/workflows/deploy.yml (rename to match canonical filename).
Workflow name: → "Deploy to birb co. production" (matches inventory verbatim).
docker-compose.yml → compose.yaml (disk rename so the workflow's compose -f compose.yaml invocations work).
Added Validate required secrets step matching inventory canonical (validates SSH_PRIVATE_KEY + JWT_SECRET only — vars are not validated, mirroring authd/movement precedent).
Heredoc terminator on the deploy step changed from << 'EOF' to << EOF (matches canonical; functionally a no-op for nanodrop since the body has no bash $VAR refs, only GitHub Actions ${{ ... }} interpolations).
Export RHS values single-quoted ('${{ ... }}') per canonical pattern.
Export order: secret first, then hardcoded literals (TRUST_PROXY=true, COOKIE_SECURE=true preserved as literals — they are env values, not secrets, per the bug-item directive), then vars.
README.md: one-line comment update (# docker-compose.yml override → # compose.yaml override).

The diff vs ~/inventory/.github/workflows/deploy.yml is now confined to the env-var block (validate list + export list), as the chore allows.

Security

None. The diff is a workflow rename/alignment with no application-code change. Reviewed against the mandatory security audit class list:

No secrets echoed (validate uses ${VAR:?msg} no-op).
Unquoted heredoc body has zero bash $VAR references (only ${{ ... }} rendered at YAML time).
No new/renamed/removed env vars; deploy manifests unchanged.
All other classes N/A (no HTTP routes, no auth/authz, no DB, no untrusted input).

Tests

npm run build clean (tsc --noEmit).
npm test — 125/125 vitest specs green across 18 files.
YAML lint of deploy.yml clean.
Worktree-wide grep for docker-compose.yml and deploy-homelab returns zero stale references after the rename.

Manual deploy verification (post-merge, user)

The bug-fixer cannot trigger a real production deploy. After merge, manually verify the workflow runs end-to-end:

Push to main (or click "Run workflow") triggers the workflow.
Validate required secrets should pass (both SSH_PRIVATE_KEY and JWT_SECRET are already configured).
Deploy step transfers files and brings compose.yaml up.
Hit the deployed instance, log in, upload a test file.

Closes

Final bullet of the cross-project deploy-alignment chore. After merge, all four projects (authd, movement, buchinese, nanodrop) are aligned with ~/inventory/.github/workflows/deploy.yml; the bug item can be wrapped resolved.

Closes the last open bullet of the cross-project deploy-alignment chore in `~/bugs.md`. authd (PR #10), movement (PR #14), and buchinese (direct user commits to main) are already aligned. nanodrop is the final project. ## What changed - `.github/workflows/deploy-homelab.yml` → `.github/workflows/deploy.yml` (rename to match canonical filename). - Workflow `name:` → `"Deploy to birb co. production"` (matches inventory verbatim). - `docker-compose.yml` → `compose.yaml` (disk rename so the workflow's `compose -f compose.yaml` invocations work). - Added `Validate required secrets` step matching inventory canonical (validates `SSH_PRIVATE_KEY` + `JWT_SECRET` only — vars are not validated, mirroring authd/movement precedent). - Heredoc terminator on the deploy step changed from `<< 'EOF'` to `<< EOF` (matches canonical; functionally a no-op for nanodrop since the body has no bash `$VAR` refs, only GitHub Actions `${{ ... }}` interpolations). - Export RHS values single-quoted (`'${{ ... }}'`) per canonical pattern. - Export order: secret first, then hardcoded literals (`TRUST_PROXY=true`, `COOKIE_SECURE=true` preserved as literals — they are env values, not secrets, per the bug-item directive), then vars. - README.md: one-line comment update (`# docker-compose.yml override` → `# compose.yaml override`). The diff vs `~/inventory/.github/workflows/deploy.yml` is now confined to the env-var block (validate list + export list), as the chore allows. ## Security None. The diff is a workflow rename/alignment with no application-code change. Reviewed against the mandatory security audit class list: - No secrets echoed (validate uses `${VAR:?msg}` no-op). - Unquoted heredoc body has zero bash `$VAR` references (only `${{ ... }}` rendered at YAML time). - No new/renamed/removed env vars; deploy manifests unchanged. - All other classes N/A (no HTTP routes, no auth/authz, no DB, no untrusted input). ## Tests - `npm run build` clean (`tsc --noEmit`). - `npm test` — 125/125 vitest specs green across 18 files. - YAML lint of `deploy.yml` clean. - Worktree-wide grep for `docker-compose.yml` and `deploy-homelab` returns zero stale references after the rename. ## Manual deploy verification (post-merge, user) The bug-fixer cannot trigger a real production deploy. After merge, manually verify the workflow runs end-to-end: - Push to `main` (or click "Run workflow") triggers the workflow. - `Validate required secrets` should pass (both `SSH_PRIVATE_KEY` and `JWT_SECRET` are already configured). - Deploy step transfers files and brings `compose.yaml` up. - Hit the deployed instance, log in, upload a test file. ## Closes Final bullet of the cross-project deploy-alignment chore. After merge, all four projects (authd, movement, buchinese, nanodrop) are aligned with `~/inventory/.github/workflows/deploy.yml`; the bug item can be wrapped resolved.

brendan added 1 commit 2026-05-10 10:56:33 +00:00

chore: align deploy workflow with inventory canonical 512300f475

Brings nanodrop into parity with ~/inventory/.github/workflows/deploy.yml,
the cross-project canonical:

- Rename .github/workflows/deploy-homelab.yml -> deploy.yml
- Update workflow name to "Deploy to birb co. production"
- Add validate-secrets gate (SSH_PRIVATE_KEY, JWT_SECRET) using
  ${VAR:?msg} no-op expansion (does not echo secret values)
- Switch deploy heredoc from << 'EOF' (quoted) to << EOF (unquoted)
  to match canonical; functional no-op since the body contains no
  bash $VAR refs, only GitHub Actions ${{ ... }} interpolations
- Single-quote the right-hand side of interpolated export values to
  prevent shell-metacharacter re-interpretation server-side
- Reorder exports: secret first, then hardcoded literals, then vars
- Rename docker-compose.yml -> compose.yaml (pure rename) and update
  the workflow's compose invocations to reference compose.yaml
- Update one README example to match the new compose filename

The env-var block remains nanodrop-specific (JWT_SECRET +
TRUST_PROXY/COOKIE_SECURE literals + PORT/BASE_URL/MAX_FILE_SIZE);
that delta is allowed by the bug spec.

No app-code changes. Build and tests green.

Manual deploy verification (push to main / "Run workflow" -> hit the
deployed instance, log in, upload a test file, confirm share link)
is the user's job post-merge.

brendan merged commit bee3cd2e98 into main

2026-05-10 10:56:46 +00:00

brendan referenced this issue from a commit

2026-05-10 10:56:46 +00:00

Merge pull request 'chore: align nanodrop deploy workflow with inventory canonical' (#5) from chore/align-deploy-yaml-with-inventory into main

brendan referenced this issue from a commit

2026-05-11 03:11:45 +00:00

chore: bump form input font-size to 16px to prevent iOS focus-zoom

brendan referenced this pull request

2026-05-11 03:12:37 +00:00

chore: bump form input font-size to 16px to prevent iOS focus-zoom #6

Sign in to join this conversation.