Add correct secrets to CI pipeline

.forgejo/workflows/ci.yml

@@ -11,6 +11,14 @@ env:
   APP_NAME: ${{ secrets.APP_NAME }}
   IMAGE_TAG: ${{ github.sha }}
   RUN_ID: ${{ github.run_id }}
+  POSTGRES_USERNAME: ${{ secrets.PROD_DB_USERNAME }}
+  POSTGRES_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+  POSTGRES_HOST: ${{ secrets.PROD_DB_HOST }}
+  POSTGRES_PORT: ${{ secrets.PROD_DB_PORT }}
+  POSTGRES_DATABASE_NAME: ${{ secrets.PROD_DB_DATABASE_NAME }}
+  PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }}
+  PROD_BACKEND_PORT: ${{ secrets.PROD_BACKEND_PORT }}
+  PROD_FRONTEND_PORT: ${{ secrets.PROD_FRONTEND_PORT }}
   # Required pinned digests (fail if missing)
   RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }}         # e.g., docker.io/library/rust@sha256:...
   NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }}         # e.g., docker.io/library/node@sha256:...
@@ -44,16 +52,9 @@ jobs:
           chmod +x ./pip_ready.sh
           ./pip_ready.sh
 
-      - name: Setup SSH with pinned known_hosts (per-step)
+      - name: Configure Git for token-based authentication
-        env:
-          GIT_SSH_COMMAND: 'ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts'
         run: |
-          mkdir -p ~/.ssh && chmod 700 ~/.ssh
+          git config --global url."https://${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}@${{ env.REGISTRY }}".insteadOf "https://${{ env.REGISTRY }}"
-          install -m 600 /dev/null ~/.ssh/id_ed25519
-          printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
-          install -m 644 /dev/null ~/.ssh/known_hosts
-          printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
-          # git commands in this step will use $GIT_SSH_COMMAND
 
       - name: Create internal integration network
         run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }}
@@ -63,15 +64,15 @@ jobs:
           podman exec ci-pip-${{ env.RUN_ID }} podman run -d \
             --name test-postgres \
             --network integ-${{ env.RUN_ID }} \
-            -e POSTGRES_PASSWORD=testpassword \
+            -e POSTGRES_PASSWORD=password \
-            -e POSTGRES_USER=testuser \
+            -e POSTGRES_USER=postgres \
-            -e POSTGRES_DB=testdb \
+            -e POSTGRES_DB=sharenet_test \
             "${POSTGRES_IMG_DIGEST}"
 
       - name: Wait for PostgreSQL to be ready
         run: |
           podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
-            i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U testuser >/dev/null 2>&1; do
+            i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U postgres >/dev/null 2>&1; do
               i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1
             done'
 
@@ -252,4 +253,45 @@ jobs:
 
       - name: Per-job cleanup (PiP container)
         if: always()
-        run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
+        run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
+
+  deploy-prod:
+    runs-on: [self-hosted, prod]
+    needs: [build-backend, build-frontend]
+    if: success()
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Deploy to production
+        env:
+          REGISTRY_HOST: ${{ env.REGISTRY }}
+          APP_NAME: ${{ env.APP_NAME }}
+          IMAGE_TAG: ${{ env.IMAGE_TAG }}
+          POSTGRES_USERNAME: ${{ env.POSTGRES_USERNAME }}
+          POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
+          POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
+          POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
+          POSTGRES_DATABASE_NAME: ${{ env.POSTGRES_DATABASE_NAME }}
+          PROD_BACKEND_HOST: ${{ env.PROD_BACKEND_HOST }}
+          PROD_BACKEND_PORT: ${{ env.PROD_BACKEND_PORT }}
+          PROD_FRONTEND_PORT: ${{ env.PROD_FRONTEND_PORT }}
+        run: |
+          # Install envsubst if not available (gettext package)
+          command -v envsubst >/dev/null 2>&1 || { 
+            if command -v apt-get >/dev/null 2>&1; then
+              sudo apt-get update && sudo apt-get install -y gettext-base
+            elif command -v yum >/dev/null 2>&1; then
+              sudo yum install -y gettext
+            elif command -v apk >/dev/null 2>&1; then
+              sudo apk add gettext
+            fi
+          }
+          
+          # Substitute environment variables in prod-pod.yml
+          envsubst < deploy/prod-pod.yml > prod-pod-deploy.yml
+          
+          # Deploy the pod (replace existing if it exists)
+          podman play kube --replace prod-pod-deploy.yml
+          
+          # Clean up generated file
+          rm -f prod-pod-deploy.yml

CI_CD_PIPELINE_SETUP_GUIDE.md

@@ -1199,9 +1199,9 @@ podman exec ci-pip-local podman version
 # Start PostgreSQL for integration tests
 podman exec ci-pip-local podman run -d \
   --name test-postgres \
-  -e POSTGRES_PASSWORD=testpassword \
+  -e POSTGRES_PASSWORD=password \
-  -e POSTGRES_USER=testuser \
+  -e POSTGRES_USER=postgres \
-  -e POSTGRES_DB=testdb \
+  -e POSTGRES_DB=sharenet_test \
   -p 5432:5432 \
   "${POSTGRES_IMG_DIGEST}"
 
@@ -1964,12 +1964,18 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
 - `REGISTRY_HOST`: Your Forgejo instance's registry URL
 - `REGISTRY_USERNAME`: Your Forgejo username for registry authentication
 - `REGISTRY_TOKEN`: Personal Access Token with `write:packages` scope for registry pushes
-- `SSH_PRIVATE_KEY`: SSH private key for production deployment access
-- `SSH_KNOWN_HOSTS`: SSH known_hosts entry for production server
 - `PODMAN_CLIENT_IMG_DIGEST`: Pinned Podman client image digest (e.g., `quay.io/podman/stable@sha256:...`)
 - `RUST_IMG_DIGEST`: Pinned Rust image digest (e.g., `docker.io/library/rust@sha256:...`)
 - `NODE_IMG_DIGEST`: Pinned Node.js image digest (e.g., `docker.io/library/node@sha256:...`)
 - `POSTGRES_IMG_DIGEST`: Pinned PostgreSQL image digest (e.g., `docker.io/library/postgres@sha256:...`)
+- `PROD_BACKEND_HOST`
+- `PROD_BACKEND_PORT`
+- `PROD_DB_USERNAME`
+- `PROD_DB_PASSWORD`
+- `PROD_DB_HOST`
+- `PROD_DB_PORT`
+- `PROD_DB_DATABASE_NAME`
+- `PROD_FRONTEND_PORT`
 
 #### How to Obtain Each Secret (with Purpose and Commands):
 
@@ -2011,22 +2017,6 @@ Go to your Forgejo repository and add these secrets in **Settings → Secrets an
   # Result: POSTGRES_IMG_DIGEST=docker.io/library/postgres@sha256:16508ad37e81dd63a94cdc620b0cfa1b771c4176b4e0f1cbc3a670431643e3ed
   ```
 
-**2. SSH Keys (Secure Deployment Access):**
-
-- **`SSH_PRIVATE_KEY`**: Private key for CI to deploy to production server
-  ```bash
-  # Generate SSH key pair (if you don't have one)
-  ssh-keygen -t ed25519 -f ~/.ssh/ci_deploy_key -N ""
-  # Use content of: cat ~/.ssh/ci_deploy_key
-  ```
-
-- **`SSH_KNOWN_HOSTS`**: Prevents MITM attacks during SSH deployment
-  ```bash
-  # Get production server's SSH fingerprint
-  ssh-keyscan -H YOUR_PRODUCTION_IP > known_hosts
-  # Use content of known_hosts file
-  ```
-
 **3. Forgejo Registry Credentials (Image Storage):**
 
 - **`REGISTRY_HOST`**: Your Forgejo instance hostname (e.g., `git.example.com`)

deploy/prod-pod.yml

@@ -26,16 +26,13 @@ spec:
         drop: ["ALL"]
     env:
     - name: POSTGRES_DB
-      value: sharenet
+      value: ${POSTGRES_DATABASE_NAME}
     - name: POSTGRES_USER
-      value: sharenet
+      value: ${POSTGRES_USERNAME}
     - name: PGDATA
       value: /var/lib/postgresql/data/pgdata
-    envFrom:
-    - secretRef:
-        name: postgres-secrets
     ports:
-    - containerPort: 5432
+    - containerPort: ${POSTGRES_PORT}
       protocol: TCP
     volumeMounts:
     - name: pgdata
@@ -74,20 +71,17 @@ spec:
         drop: ["ALL"]
     env:
     - name: DATABASE_URL
-      value: postgres://sharenet:${POSTGRES_PASSWORD}@localhost:5432/sharenet
+      value: postgres://${POSTGRES_USERNAME}:${POSTGRES_PASSWORD}@{POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DATABASE_NAME}?sslmode=disable
     - name: PORT
-      value: "3001"
+      value: ${PROD_BACKEND_PORT}
-    envFrom:
-    - secretRef:
-        name: backend-secrets
     ports:
-    - containerPort: 3001
+    - containerPort: ${PROD_BACKEND_PORT}
       protocol: TCP
     # Health checks
     livenessProbe:
       httpGet:
         path: /health
-        port: 3001
+        port: ${PROD_BACKEND_PORT}
         scheme: HTTP
       initialDelaySeconds: 30
       periodSeconds: 30
@@ -96,7 +90,7 @@ spec:
     readinessProbe:
       httpGet:
         path: /health
-        port: 3001
+        port: ${PROD_BACKEND_PORT}
         scheme: HTTP
       initialDelaySeconds: 10
       periodSeconds: 10
@@ -119,15 +113,14 @@ spec:
       capabilities:
         drop: ["ALL"]
     env:
-    - name: NEXT_PUBLIC_API_URL
+    - name: NEXT_PUBLIC_API_HOST
-      value: http://localhost:3001
+      value: ${PROD_BACKEND_HOST}
+    - name: NEXT_PUBLIC_API_PORT
+      value: ${PROD_BACKEND_PORT}
     - name: PORT
-      value: "3000"
+      value: ${PROD_FRONTEND_PORT}
-    envFrom:
-    - secretRef:
-        name: frontend-secrets
     ports:
-    - containerPort: 3000
+    - containerPort: ${PROD_FRONTEND_PORT}
       protocol: TCP
     # Resource limits
     resources: