refactor: switch ssh remote variable passing to positional arguments for deploy-qa pipeline

ci: use ssh-agent with dedicated deploy key (no passphrase)
ci: use base64-encoded SSH key to preserve newlines
2026-06-02 21:11:41 -06:00 · 2026-06-01 22:40:59 -06:00 · 2026-06-01 22:38:17 -06:00
1 changed files with 28 additions and 21 deletions
@@ -55,40 +55,48 @@ jobs:
    needs: build-and-push
    steps:
      - name: Deploy via SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
          DEPLOY_PASSPHRASE: ${{ secrets.DEPLOY_PASSPHRASE }}
        run: |
          set -euo pipefail
          IMAGE_TAG="${{ needs.build-and-push.outputs.image_tag }}"
-          printf '%s\n' "$DEPLOY_SSH_KEY" > /tmp/deploy_key
+          eval $(ssh-agent -s)
-          chmod 600 /tmp/deploy_key
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" | ssh-add -
          printf '%s\n' "$DEPLOY_PASSPHRASE" > /tmp/passphrase
          sudo apt-get update -qq && sudo apt-get install -y -qq sshpass
          mkdir -p ~/.ssh
          ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
-          sshpass -f /tmp/passphrase ssh -i /tmp/deploy_key \
+          # 1. Pasamos las variables como argumentos en el mismo orden
-            -o StrictHostKeyChecking=no \
+          ssh ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} bash -s \
-            ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} bash -s \
+            "${{ env.REGISTRY_URL }}" \
-            -e REGISTRY_URL=${{ env.REGISTRY_URL }} \
+            "${{ env.IMAGE_NAME }}" \
-            -e IMAGE_NAME=${{ env.IMAGE_NAME }} \
+            "${IMAGE_TAG}" \
-            -e IMAGE_TAG=${IMAGE_TAG} \
+            "${{ gitea.sha }}" \
-            -e GIT_SHA=${{ gitea.sha }} \
+            "${{ gitea.actor }}" \
-            -e GIT_BRANCH=dev \
+            "${{ gitea.run_id }}" \
-            -e GITEA_ACTOR=${{ gitea.actor }} \
+            "${{ secrets.TOKEN }}" << 'EOF'
            -e BUILD_NUMBER=${{ gitea.run_id }} \
            -e TOKEN=${{ secrets.TOKEN }} << 'EOF'
            set -euo pipefail
            # 2. Las recibimos dentro de la sesión remota
            REGISTRY_URL=$1
            IMAGE_NAME=$2
            IMAGE_TAG=$3
            GIT_SHA=$4
            GITEA_ACTOR=$5
            BUILD_NUMBER=$6
            TOKEN=$7
            # Variables locales del script
            GIT_BRANCH="dev"
            BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            echo "Pulling image..."
            echo "$TOKEN" | docker login $REGISTRY_URL -u $GITEA_ACTOR --password-stdin
            docker pull $REGISTRY_URL/$IMAGE_NAME:$IMAGE_TAG
            echo "Stopping existing container..."
            docker stop cicd-qa 2>/dev/null || true
            docker rm cicd-qa 2>/dev/null || true
            echo "Starting new container..."
            docker run -d --name cicd-qa --restart unless-stopped -p 8081:80 \
              -e APP_ENV=qa \
@@ -99,6 +107,7 @@ jobs:
              -e DEPLOY_TIME=${BUILD_DATE} \
              -e BUILD_NUMBER=${BUILD_NUMBER} \
              $REGISTRY_URL/$IMAGE_NAME:$IMAGE_TAG
            echo "Waiting for health check..."
            for i in $(seq 1 12); do
              if curl -sf http://localhost:8081/health > /dev/null 2>&1; then
@@ -110,5 +119,3 @@ jobs:
            echo "::error::QA health check failed"
            exit 1
          EOF
Author	SHA1	Message	Date
nietzshn	252fbe5003	refactor: switch ssh remote variable passing to positional arguments for deploy-qa pipeline CI Pipeline / HTML Lint (push) Successful in 11s Details Deploy QA / Build and Push (push) Successful in 21s Details CI Pipeline / Build Docker Image (push) Successful in 1m3s Details Deploy QA / Deploy to QA (push) Successful in 9s Details CI Pipeline / Security Scan (push) Successful in 21s Details	2026-06-02 21:11:41 -06:00
nietzshn	dc86eb2bf2	ci: use ssh-agent with dedicated deploy key (no passphrase)	2026-06-01 22:40:59 -06:00
nietzshn	87faff525c	ci: use base64-encoded SSH key to preserve newlines	2026-06-01 22:38:17 -06:00