♻️ refactor(cd): hardcode non-sensitive config in staging workflow

Reduced GitHub Secrets requirements from 21 to 12 by hardcoding non-sensitive configuration values directly in the workflow file. Changes: - Hardcoded: DB/Redis host/port, STAGING_HOST, STAGING_USER, MANA_SERVICE_URL - Keep as secrets: passwords, API keys, JWT keys, SSH private key - Updated generate-staging-secrets.sh to reflect reduced secret list - Added get-ssh-key.sh helper script for SSH key extraction Benefits: - Fewer secrets to manage in GitHub - Configuration visible in code review - Easier to update non-sensitive values (no UI navigation) - Better separation of config vs secrets 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-05-15 00:01:10 +02:00 · 2025-12-04 17:11:36 +01:00 · 2025-12-04 17:11:36 +01:00 · 234703a130
commit 234703a130
parent cf2b6aaa2b
3 changed files with 188 additions and 20 deletions
--- a/.github/workflows/cd-staging.yml
+++ b/.github/workflows/cd-staging.yml
@ -39,13 +39,18 @@ jobs:
          ssh-private-key: ${{ secrets.STAGING_SSH_KEY }}

      - name: Add staging server to known hosts
+        env:
+          STAGING_HOST: 46.224.108.214
        run: |
          mkdir -p ~/.ssh
-          ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts
+          ssh-keyscan -H $STAGING_HOST >> ~/.ssh/known_hosts

      - name: Prepare deployment directory
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
+          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
            mkdir -p ~/manacore-staging
            cd ~/manacore-staging

@ -56,27 +61,33 @@ jobs:
          EOF

      - name: Copy docker-compose file
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          scp docker-compose.staging.yml ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }}:~/manacore-staging/docker-compose.yml
+          scp docker-compose.staging.yml $STAGING_USER@$STAGING_HOST:~/manacore-staging/docker-compose.yml

      - name: Copy environment file
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          # Create staging env file from secrets
+          # Create staging env file (mix of hardcoded config and secrets)
          cat > .env.staging << EOF
-          # Database
-          POSTGRES_HOST=${{ secrets.STAGING_POSTGRES_HOST }}
-          POSTGRES_PORT=${{ secrets.STAGING_POSTGRES_PORT }}
-          POSTGRES_DB=${{ secrets.STAGING_POSTGRES_DB }}
-          POSTGRES_USER=${{ secrets.STAGING_POSTGRES_USER }}
+          # Database - Configuration
+          POSTGRES_HOST=postgres
+          POSTGRES_PORT=5432
+          POSTGRES_DB=manacore
+          POSTGRES_USER=postgres
          POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}

-          # Redis
-          REDIS_HOST=${{ secrets.STAGING_REDIS_HOST }}
-          REDIS_PORT=${{ secrets.STAGING_REDIS_PORT }}
+          # Redis - Configuration
+          REDIS_HOST=redis
+          REDIS_PORT=6379
          REDIS_PASSWORD=${{ secrets.STAGING_REDIS_PASSWORD }}

-          # Mana Core Auth
-          MANA_SERVICE_URL=${{ secrets.STAGING_MANA_SERVICE_URL }}
+          # Mana Core Auth - Configuration
+          MANA_SERVICE_URL=http://mana-core-auth:3001
          JWT_SECRET=${{ secrets.STAGING_JWT_SECRET }}
          JWT_PUBLIC_KEY=${{ secrets.STAGING_JWT_PUBLIC_KEY }}
          JWT_PRIVATE_KEY=${{ secrets.STAGING_JWT_PRIVATE_KEY }}
@ -95,28 +106,37 @@ jobs:
          NODE_ENV=staging
          EOF

-          scp .env.staging ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }}:~/manacore-staging/.env
+          scp .env.staging $STAGING_USER@$STAGING_HOST:~/manacore-staging/.env
          rm .env.staging

      - name: Login to GitHub Container Registry on staging server
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << EOF
+          ssh $STAGING_USER@$STAGING_HOST << EOF
            # Login to ghcr.io with GitHub token
            echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
          EOF

      - name: Pull latest Docker images
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
+          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
            cd ~/manacore-staging
            docker compose pull
          EOF

      - name: Deploy services
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
          SERVICE="${{ github.event.inputs.service || 'all' }}"

-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << EOF
+          ssh $STAGING_USER@$STAGING_HOST << EOF
            cd ~/manacore-staging

            # Determine which services to deploy
@ -137,8 +157,11 @@ jobs:
          EOF

      - name: Run health checks
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
+          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
            cd ~/manacore-staging

            # Wait for services to fully start
@ -189,9 +212,12 @@ jobs:
          EOF

      - name: Run database migrations
+        env:
+          STAGING_USER: deploy
+          STAGING_HOST: 46.224.108.214
        run: |
          # Run migrations for services that need them
-          ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF'
+          ssh $STAGING_USER@$STAGING_HOST << 'EOF'
            cd ~/manacore-staging

            # Mana Core Auth migrations
--- a/scripts/generate-staging-secrets.sh
+++ b/scripts/generate-staging-secrets.sh
@ -0,0 +1,124 @@
+#!/bin/bash
+
+# Generate Staging Secrets for GitHub
+# Run this script and copy the output to GitHub Secrets
+
+set -e
+
+echo "================================================"
+echo "  STAGING SECRETS GENERATOR"
+echo "================================================"
+echo ""
+echo "Copy each value below to GitHub Settings → Secrets and variables → Actions"
+echo ""
+echo "Note: Configuration values (host, ports, etc.) are now hardcoded in the workflow"
+echo "Only sensitive values (passwords, keys) need to be added as secrets"
+echo ""
+echo "================================================"
+echo ""
+
+# Generate secure random passwords
+POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
+REDIS_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
+JWT_SECRET=$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-64)
+
+# Generate Ed25519 key pair for JWT
+TEMP_KEY_DIR=$(mktemp -d)
+ssh-keygen -t ed25519 -f "$TEMP_KEY_DIR/jwt_key" -N "" -C "manacore-staging-jwt" > /dev/null 2>&1
+
+# Convert SSH keys to raw format for JWT
+PRIVATE_KEY=$(cat "$TEMP_KEY_DIR/jwt_key" | grep -v "BEGIN" | grep -v "END" | tr -d '\n')
+PUBLIC_KEY=$(ssh-keygen -e -m PKCS8 -f "$TEMP_KEY_DIR/jwt_key.pub" 2>/dev/null | grep -v "BEGIN" | grep -v "END" | tr -d '\n' || cat "$TEMP_KEY_DIR/jwt_key.pub" | awk '{print $2}')
+
+# Clean up temp files
+rm -rf "$TEMP_KEY_DIR"
+
+# Output all secrets in GitHub format
+echo "# ============================================"
+echo "# DATABASE SECRETS (2 secrets)"
+echo "# ============================================"
+echo ""
+echo "STAGING_POSTGRES_PASSWORD"
+echo "$POSTGRES_PASSWORD"
+echo ""
+
+echo "# ============================================"
+echo "# REDIS SECRETS (1 secret)"
+echo "# ============================================"
+echo ""
+echo "STAGING_REDIS_PASSWORD"
+echo "$REDIS_PASSWORD"
+echo ""
+
+echo "# ============================================"
+echo "# MANA CORE AUTH SECRETS (3 secrets)"
+echo "# ============================================"
+echo ""
+echo "STAGING_JWT_SECRET"
+echo "$JWT_SECRET"
+echo ""
+echo "STAGING_JWT_PUBLIC_KEY"
+echo "$PUBLIC_KEY"
+echo ""
+echo "STAGING_JWT_PRIVATE_KEY"
+echo "$PRIVATE_KEY"
+echo ""
+
+echo "# ============================================"
+echo "# SUPABASE SECRETS (Fill these manually - 3 secrets)"
+echo "# ============================================"
+echo ""
+echo "STAGING_SUPABASE_URL"
+echo "https://YOUR_PROJECT.supabase.co"
+echo ""
+echo "STAGING_SUPABASE_ANON_KEY"
+echo "YOUR_SUPABASE_ANON_KEY_HERE"
+echo ""
+echo "STAGING_SUPABASE_SERVICE_ROLE_KEY"
+echo "YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE"
+echo ""
+
+echo "# ============================================"
+echo "# AZURE OPENAI SECRETS (Fill these manually - 2 secrets)"
+echo "# ============================================"
+echo ""
+echo "STAGING_AZURE_OPENAI_ENDPOINT"
+echo "https://YOUR_RESOURCE.openai.azure.com/"
+echo ""
+echo "STAGING_AZURE_OPENAI_API_KEY"
+echo "YOUR_AZURE_OPENAI_API_KEY_HERE"
+echo ""
+
+echo "# ============================================"
+echo "# SSH DEPLOYMENT SECRETS (Fill these manually - 1 secret)"
+echo "# ============================================"
+echo ""
+echo "STAGING_SSH_KEY"
+echo "Run: cat ~/.ssh/hetzner_deploy_key"
+echo "(Copy the ENTIRE output including -----BEGIN and -----END lines)"
+echo ""
+
+echo "================================================"
+echo "  SUMMARY"
+echo "================================================"
+echo ""
+echo "Total secrets to add: 12"
+echo "  - Auto-generated: 6 (passwords, JWT keys)"
+echo "  - Manual: 6 (Supabase, Azure, SSH key)"
+echo ""
+echo "The following are now HARDCODED in the workflow:"
+echo "  - POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB, POSTGRES_USER"
+echo "  - REDIS_HOST, REDIS_PORT"
+echo "  - MANA_SERVICE_URL"
+echo "  - STAGING_HOST (46.224.108.214)"
+echo "  - STAGING_USER (deploy)"
+echo ""
+echo "================================================"
+echo ""
+echo "Next steps:"
+echo "1. Go to: https://github.com/YOUR_ORG/manacore-monorepo/settings/secrets/actions"
+echo "2. Click 'New repository secret' for each value above"
+echo "3. Copy the secret name (e.g., STAGING_POSTGRES_PASSWORD)"
+echo "4. Copy the secret value (the line below the name)"
+echo "5. Fill in Supabase, Azure, and SSH key values manually"
+echo ""
--- a/scripts/get-ssh-key.sh
+++ b/scripts/get-ssh-key.sh
@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Get SSH Private Key Content for GitHub Secret
+
+echo "================================================"
+echo "  SSH PRIVATE KEY FOR STAGING_SSH_KEY"
+echo "================================================"
+echo ""
+echo "Copy the ENTIRE output below (including BEGIN and END lines):"
+echo ""
+echo "================================================"
+
+cat ~/.ssh/hetzner_deploy_key
+
+echo "================================================"
+echo ""
+echo "This is the value for: STAGING_SSH_KEY"
+echo ""