From 4ec574d66ac81ecf8f82ca5749f445967be907c0 Mon Sep 17 00:00:00 2001
From: bohessefm <bohessefm@gmail.com>
Date: Wed, 18 Feb 2026 23:30:01 +0000
Subject: [PATCH] Update .forgejo/workflows/deploy.yaml

---
 .forgejo/workflows/deploy.yaml | 91 +++++++++++++++++++++++-----------
 1 file changed, 61 insertions(+), 30 deletions(-)

diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml
index b93af1d..881772d 100644
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@@ -23,6 +23,7 @@ jobs:
 
       - name: Build & Push Backend
         run: |
+          # Build usando SHA para imutabilidade e latest para conveniência
           docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
             -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
           docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
@@ -59,60 +60,90 @@ jobs:
         run: |
           kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -
 
+          # Sincroniza Registry Secret
           kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
           sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
           kubectl apply -f - --force
 
+          # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
           kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found
 
-          # Limpeza da chave para evitar caracteres UTF-8 invalidos
+          # Prepare RSA key file if available (prefer secrets over vars)
+          # AJUSTE: Limpando espaços que causam erro de UTF-8
           RAW_KEY="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
           CLEAN_KEY=$(echo "$RAW_KEY" | tr -d '[:space:]')
 
-          # Decodifica se necessario para o arquivo
           if [ -n "$CLEAN_KEY" ]; then
+            echo "Decoding RSA_PRIVATE_KEY_BASE64"
             echo "$CLEAN_KEY" > /tmp/rsa_key.base64
             base64 -d /tmp/rsa_key.base64 > /tmp/rsa_key.pem 2>/dev/null || cp /tmp/rsa_key.base64 /tmp/rsa_key.pem
           fi
 
-          # Criação via Heredoc para evitar erros de marshaling gRPC (UTF-8)
-          cat <<EOF | kubectl apply -f -
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: backend-secrets
-            namespace: gohorsejobsdev
-          type: Opaque
-          stringData:
-            MTU: "${{ vars.MTU }}"
-            DATABASE_URL: "${{ vars.DATABASE_URL }}"
-            AMQP_URL: "${{ vars.AMQP_URL }}"
-            JWT_SECRET: "${{ vars.JWT_SECRET }}"
-            JWT_EXPIRATION: "${{ vars.JWT_EXPIRATION }}"
-            PASSWORD_PEPPER: "${{ vars.PASSWORD_PEPPER }}"
-            COOKIE_SECRET: "${{ vars.COOKIE_SECRET }}"
-            COOKIE_DOMAIN: "${{ vars.COOKIE_DOMAIN }}"
-            BACKEND_PORT: "${{ vars.BACKEND_PORT }}"
-            BACKEND_HOST: "${{ vars.BACKEND_HOST }}"
-            ENV: "${{ vars.ENV }}"
-            CORS_ORIGINS: "${{ vars.CORS_ORIGINS }}"
-            S3_BUCKET: "${{ vars.S3_BUCKET }}"
-            AWS_REGION: "${{ vars.AWS_REGION }}"
-            AWS_ENDPOINT: "${{ vars.AWS_ENDPOINT }}"
-            AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
-            AWS_SECRET_ACCESS_KEY: "${{ vars.AWS_SECRET_ACCESS_KEY }}"
-            private_key.pem: |
-              $(cat /tmp/rsa_key.pem 2>/dev/null || echo "$CLEAN_KEY")
+          # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
+          if [ -f /tmp/rsa_key.pem ]; then
+            # AJUSTE: Usando stringData para evitar erro gRPC de marshaling
+            cat <<EOF | kubectl apply -f -
+            apiVersion: v1
+            kind: Secret
+            metadata:
+              name: backend-secrets
+              namespace: gohorsejobsdev
+            type: Opaque
+            stringData:
+              MTU: "${{ vars.MTU }}"
+              DATABASE_URL: "${{ vars.DATABASE_URL }}"
+              AMQP_URL: "${{ vars.AMQP_URL }}"
+              JWT_SECRET: "${{ vars.JWT_SECRET }}"
+              JWT_EXPIRATION: "${{ vars.JWT_EXPIRATION }}"
+              PASSWORD_PEPPER: "${{ vars.PASSWORD_PEPPER }}"
+              COOKIE_SECRET: "${{ vars.COOKIE_SECRET }}"
+              COOKIE_DOMAIN: "${{ vars.COOKIE_DOMAIN }}"
+              BACKEND_PORT: "${{ vars.BACKEND_PORT }}"
+              BACKEND_HOST: "${{ vars.BACKEND_HOST }}"
+              ENV: "${{ vars.ENV }}"
+              CORS_ORIGINS: "${{ vars.CORS_ORIGINS }}"
+              S3_BUCKET: "${{ vars.S3_BUCKET }}"
+              AWS_REGION: "${{ vars.AWS_REGION }}"
+              AWS_ENDPOINT: "${{ vars.AWS_ENDPOINT }}"
+              AWS_ACCESS_KEY_ID: "${{ vars.AWS_ACCESS_KEY_ID }}"
+              AWS_SECRET_ACCESS_KEY: "${{ vars.AWS_SECRET_ACCESS_KEY }}"
+              private_key.pem: |
+                $(cat /tmp/rsa_key.pem)
           EOF
+          else
+            kubectl create secret generic backend-secrets -n gohorsejobsdev \
+              --from-literal=MTU="${{ vars.MTU }}" \
+              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
+              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
+              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
+              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
+              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
+              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
+              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
+              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
+              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
+              --from-literal=ENV="${{ vars.ENV }}" \
+              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
+              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
+              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
+              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
+              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
+              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
+              --from-literal=RSA_PRIVATE_KEY_BASE64="$CLEAN_KEY" \
+              --dry-run=client -o yaml | kubectl apply -f -
+          fi
 
       - name: Deploy to K3s
         run: |
           kubectl apply -f k8s/dev/ -n gohorsejobsdev
           
+          # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
           kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
           kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
           
+          # Força o restart para carregar os novos valores do secret backend-secrets
           kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
           kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
           
+          # Aguarda estabilização
           kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s
\ No newline at end of file