From b05456e21c34edbe9b9d50bd25162fd3546efb34 Mon Sep 17 00:00:00 2001
From: bohessefm <bohessefm@gmail.com>
Date: Sat, 21 Feb 2026 13:14:25 +0000
Subject: [PATCH] Update .forgejo/workflows/deploy.yaml

---
 .forgejo/workflows/deploy.yaml | 119 +++++++++++++--------------------
 1 file changed, 45 insertions(+), 74 deletions(-)

diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml
index b9d7e32..ac0cbc5 100644
--- a/.forgejo/workflows/deploy.yaml
+++ b/.forgejo/workflows/deploy.yaml
@@ -8,6 +8,7 @@ on:
 env:
   REGISTRY: pipe.gohorsejobs.com
   IMAGE_NAMESPACE: bohessefm
+  NAMESPACE: gohorsejobsdev
 
 jobs:
   build-and-push:
@@ -23,7 +24,6 @@ jobs:
 
       - name: Build & Push Backend
         run: |
-          # Build usando SHA para imutabilidade e latest para conveniência
           docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
             -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
           docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
@@ -58,88 +58,59 @@ jobs:
 
       - name: Sync Secrets and Vars
         run: |
-          kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -
+          # Garante que o namespace existe
+          kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o yaml | kubectl apply -f -
 
-          # Sincroniza Registry Secret
+          # Sincroniza Registry Secret do namespace forgejo
           kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
-          sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
-          kubectl apply -f - --force
+          sed "s/namespace: forgejo/namespace: ${{ env.NAMESPACE }}/" | \
+          kubectl apply -f -
 
-          # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
-          kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found
-
-          # Prepare RSA key file if available (prefer secrets over vars)
-          if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then
-            echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets"
-            printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
-            # if it's base64-encoded PEM, decode it
-            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
-              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
-            fi
-          elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then
-            echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars"
-            printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
-            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
-              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
+          # Prepara a chave RSA (Prioriza Secret, depois Var)
+          RSA_CONTENT="${{ secrets.RSA_PRIVATE_KEY_BASE64 || vars.RSA_PRIVATE_KEY_BASE64 }}"
+          if [ -n "$RSA_CONTENT" ]; then
+            echo "$RSA_CONTENT" > /tmp/rsa_raw.txt
+            if base64 -d /tmp/rsa_raw.txt > /tmp/rsa_key.pem 2>/dev/null; then
+              echo "RSA Key decoded successfully."
+            else
+              cp /tmp/rsa_raw.txt /tmp/rsa_key.pem
             fi
           fi
 
-          # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
-          if [ -f /tmp/rsa_key.pem ]; then
-            kubectl create secret generic backend-secrets -n gohorsejobsdev \
-              --from-literal=MTU="${{ vars.MTU }}" \
-              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
-              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
-              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
-              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
-              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
-              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
-              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
-              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
-              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
-              --from-literal=ENV="${{ vars.ENV }}" \
-              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
-              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
-              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
-              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
-              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
-              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
-              --from-file=private_key.pem=/tmp/rsa_key.pem \
-              --dry-run=client -o yaml | kubectl apply -f -
-          else
-            kubectl create secret generic backend-secrets -n gohorsejobsdev \
-              --from-literal=MTU="${{ vars.MTU }}" \
-              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
-              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
-              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
-              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
-              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
-              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
-              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
-              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
-              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
-              --from-literal=ENV="${{ vars.ENV }}" \
-              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
-              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
-              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
-              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
-              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
-              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
-              --from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \
-              --dry-run=client -o yaml | kubectl apply -f -
-          fi
+          # CRIAÇÃO DA SECRET USANDO DRY-RUN + APPLY (Evita deletar e falhar)
+          # O uso de quotes nas variáveis previne erros de shell
+          kubectl create secret generic backend-secrets -n ${{ env.NAMESPACE }} \
+            --from-literal=MTU="${{ vars.MTU }}" \
+            --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
+            --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
+            --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
+            --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
+            --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
+            --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
+            --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
+            --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
+            --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
+            --from-literal=ENV="${{ vars.ENV }}" \
+            --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
+            --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
+            --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
+            --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
+            --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
+            --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
+            $( [ -f /tmp/rsa_key.pem ] && echo "--from-file=private_key.pem=/tmp/rsa_key.pem" ) \
+            --dry-run=client -o yaml | kubectl apply -f -
 
       - name: Deploy to K3s
         run: |
-          kubectl apply -f k8s/dev/ -n gohorsejobsdev
+          kubectl apply -f k8s/dev/ -n ${{ env.NAMESPACE }}
           
-          # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
-          kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
-          kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
+          # Atualiza as imagens para o novo SHA
+          kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
+          kubectl -n ${{ env.NAMESPACE }} set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
           
-          # Força o restart para carregar os novos valores do secret backend-secrets
-          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
-          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
+          # Reinicia para garantir leitura da nova Secret
+          kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backend-dev
+          kubectl -n ${{ env.NAMESPACE }} rollout restart deployment/gohorse-backoffice-dev
           
-          # Aguarda estabilização
-          kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s
\ No newline at end of file
+          # Status
+          kubectl -n ${{ env.NAMESPACE }} rollout status deployment/gohorse-backend-dev --timeout=120s
\ No newline at end of file