nanodrop/.github/workflows/deploy.yml

name: "Deploy to birb co. production"

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
    - name: Check out repository
      uses: actions/checkout@v3

    - name: Validate required secrets
      run: |
        set -euo pipefail
        : "${SSH_PRIVATE_KEY:?SSH_PRIVATE_KEY secret must be set}"
        : "${JWT_SECRET:?JWT_SECRET secret must be set}"
      env:
        SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        JWT_SECRET: ${{ secrets.JWT_SECRET }}

    - name: Set up SSH key
      run: |
        mkdir -p ~/.ssh
        echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519
        ssh-keyscan ${{ vars.HOST }} >> ~/.ssh/known_hosts

    - name: Remove directory from server
      run: |
        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << 'EOF'
          rm -rf ~/${{ vars.DIRECTORY_NAME }}
        EOF

    # Avoid needing to set up SSH access to GitHub for this user
    - name: Transfer repository files to server
      run: |
        scp -i ~/.ssh/id_ed25519 -r ./* ${{ vars.USERNAME }}@${{ vars.HOST }}:~/${{ vars.DIRECTORY_NAME }}

    - name: Deploy on server with Docker
      run: |
        ssh -i ~/.ssh/id_ed25519 ${{ vars.USERNAME }}@${{ vars.HOST }} << EOF
          cd ~/${{ vars.DIRECTORY_NAME }}
          export JWT_SECRET='${{ secrets.JWT_SECRET }}'
          export TRUST_PROXY=true
          export COOKIE_SECURE=true
          export PORT='${{ vars.PORT }}'
          export BASE_URL='${{ vars.BASE_URL }}'
          export MAX_FILE_SIZE='${{ vars.MAX_FILE_SIZE }}'
          docker compose -f compose.yaml up -d --build --remove-orphans
        EOF