Update .forgejo/workflows/deploy.yaml

.forgejo/workflows/deploy.yaml

@@ -23,6 +23,7 @@ jobs:
 
       - name: Build & Push Backend
         run: |
+          # Build usando SHA para imutabilidade e latest para conveniência
           docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
             -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
           docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
@@ -59,23 +60,31 @@ jobs:
         run: |
           kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -
 
+          # Sincroniza Registry Secret
           kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
           sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
           kubectl apply -f - --force
 
+          # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
           kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found
 
-          # PEGA A SECRET, REMOVE ESPAÇOS E QUEBRAS DE LINHA QUE CAUSAM O ERRO UTF-8
-          RAW_KEY="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
-          CLEAN_KEY=$(echo "$RAW_KEY" | tr -d '[:space:]')
-
-          if [ -n "$CLEAN_KEY" ]; then
-            echo "Processing RSA Key (Cleaning spaces and newlines)..."
-            echo "$CLEAN_KEY" > /tmp/rsa_key.base64
-            # Tenta decodificar. Se falhar (já for PEM), usa o original limpo.
-            base64 -d /tmp/rsa_key.base64 > /tmp/rsa_key.pem 2>/dev/null || cp /tmp/rsa_key.base64 /tmp/rsa_key.pem
+          # Prepare RSA key file if available (prefer secrets over vars)
+          if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then
+            echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets"
+            printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
+            # if it's base64-encoded PEM, decode it
+            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
+              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
+            fi
+          elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then
+            echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars"
+            printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
+            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
+              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
+            fi
           fi
 
+          # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
           if [ -f /tmp/rsa_key.pem ]; then
             kubectl create secret generic backend-secrets -n gohorsejobsdev \
               --from-literal=MTU="${{ vars.MTU }}" \
@@ -98,7 +107,6 @@ jobs:
               --from-file=private_key.pem=/tmp/rsa_key.pem \
               --dry-run=client -o yaml | kubectl apply -f -
           else
-            # Fallback caso a chave não exista
             kubectl create secret generic backend-secrets -n gohorsejobsdev \
               --from-literal=MTU="${{ vars.MTU }}" \
               --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
@@ -117,6 +125,7 @@ jobs:
               --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
               --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
               --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
+              --from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \
               --dry-run=client -o yaml | kubectl apply -f -
           fi
 
@@ -124,10 +133,13 @@ jobs:
         run: |
           kubectl apply -f k8s/dev/ -n gohorsejobsdev
           
+          # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
           kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
           kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
           
+          # Força o restart para carregar os novos valores do secret backend-secrets
           kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
           kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
           
+          # Aguarda estabilização
           kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s