diff --git a/.github/workflows/cd-staging.yml b/.github/workflows/cd-staging.yml index a6b5b4282..ada01d7a8 100644 --- a/.github/workflows/cd-staging.yml +++ b/.github/workflows/cd-staging.yml @@ -39,13 +39,18 @@ jobs: ssh-private-key: ${{ secrets.STAGING_SSH_KEY }} - name: Add staging server to known hosts + env: + STAGING_HOST: 46.224.108.214 run: | mkdir -p ~/.ssh - ssh-keyscan -H ${{ secrets.STAGING_HOST }} >> ~/.ssh/known_hosts + ssh-keyscan -H $STAGING_HOST >> ~/.ssh/known_hosts - name: Prepare deployment directory + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' + ssh $STAGING_USER@$STAGING_HOST << 'EOF' mkdir -p ~/manacore-staging cd ~/manacore-staging @@ -56,27 +61,33 @@ jobs: EOF - name: Copy docker-compose file + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - scp docker-compose.staging.yml ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }}:~/manacore-staging/docker-compose.yml + scp docker-compose.staging.yml $STAGING_USER@$STAGING_HOST:~/manacore-staging/docker-compose.yml - name: Copy environment file + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - # Create staging env file from secrets + # Create staging env file (mix of hardcoded config and secrets) cat > .env.staging << EOF - # Database - POSTGRES_HOST=${{ secrets.STAGING_POSTGRES_HOST }} - POSTGRES_PORT=${{ secrets.STAGING_POSTGRES_PORT }} - POSTGRES_DB=${{ secrets.STAGING_POSTGRES_DB }} - POSTGRES_USER=${{ secrets.STAGING_POSTGRES_USER }} + # Database - Configuration + POSTGRES_HOST=postgres + POSTGRES_PORT=5432 + POSTGRES_DB=manacore + POSTGRES_USER=postgres POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }} - # Redis - REDIS_HOST=${{ secrets.STAGING_REDIS_HOST }} - REDIS_PORT=${{ secrets.STAGING_REDIS_PORT }} + # Redis - Configuration + REDIS_HOST=redis + REDIS_PORT=6379 REDIS_PASSWORD=${{ secrets.STAGING_REDIS_PASSWORD }} - # Mana Core Auth - MANA_SERVICE_URL=${{ secrets.STAGING_MANA_SERVICE_URL }} + # Mana Core Auth - Configuration + MANA_SERVICE_URL=http://mana-core-auth:3001 JWT_SECRET=${{ secrets.STAGING_JWT_SECRET }} JWT_PUBLIC_KEY=${{ secrets.STAGING_JWT_PUBLIC_KEY }} JWT_PRIVATE_KEY=${{ secrets.STAGING_JWT_PRIVATE_KEY }} @@ -95,28 +106,37 @@ jobs: NODE_ENV=staging EOF - scp .env.staging ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }}:~/manacore-staging/.env + scp .env.staging $STAGING_USER@$STAGING_HOST:~/manacore-staging/.env rm .env.staging - name: Login to GitHub Container Registry on staging server + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << EOF + ssh $STAGING_USER@$STAGING_HOST << EOF # Login to ghcr.io with GitHub token echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin EOF - name: Pull latest Docker images + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' + ssh $STAGING_USER@$STAGING_HOST << 'EOF' cd ~/manacore-staging docker compose pull EOF - name: Deploy services + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | SERVICE="${{ github.event.inputs.service || 'all' }}" - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << EOF + ssh $STAGING_USER@$STAGING_HOST << EOF cd ~/manacore-staging # Determine which services to deploy @@ -137,8 +157,11 @@ jobs: EOF - name: Run health checks + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' + ssh $STAGING_USER@$STAGING_HOST << 'EOF' cd ~/manacore-staging # Wait for services to fully start @@ -189,9 +212,12 @@ jobs: EOF - name: Run database migrations + env: + STAGING_USER: deploy + STAGING_HOST: 46.224.108.214 run: | # Run migrations for services that need them - ssh ${{ secrets.STAGING_USER }}@${{ secrets.STAGING_HOST }} << 'EOF' + ssh $STAGING_USER@$STAGING_HOST << 'EOF' cd ~/manacore-staging # Mana Core Auth migrations diff --git a/scripts/generate-staging-secrets.sh b/scripts/generate-staging-secrets.sh new file mode 100755 index 000000000..3e438a881 --- /dev/null +++ b/scripts/generate-staging-secrets.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +# Generate Staging Secrets for GitHub +# Run this script and copy the output to GitHub Secrets + +set -e + +echo "================================================" +echo " STAGING SECRETS GENERATOR" +echo "================================================" +echo "" +echo "Copy each value below to GitHub Settings → Secrets and variables → Actions" +echo "" +echo "Note: Configuration values (host, ports, etc.) are now hardcoded in the workflow" +echo "Only sensitive values (passwords, keys) need to be added as secrets" +echo "" +echo "================================================" +echo "" + +# Generate secure random passwords +POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32) +REDIS_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32) +JWT_SECRET=$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-64) + +# Generate Ed25519 key pair for JWT +TEMP_KEY_DIR=$(mktemp -d) +ssh-keygen -t ed25519 -f "$TEMP_KEY_DIR/jwt_key" -N "" -C "manacore-staging-jwt" > /dev/null 2>&1 + +# Convert SSH keys to raw format for JWT +PRIVATE_KEY=$(cat "$TEMP_KEY_DIR/jwt_key" | grep -v "BEGIN" | grep -v "END" | tr -d '\n') +PUBLIC_KEY=$(ssh-keygen -e -m PKCS8 -f "$TEMP_KEY_DIR/jwt_key.pub" 2>/dev/null | grep -v "BEGIN" | grep -v "END" | tr -d '\n' || cat "$TEMP_KEY_DIR/jwt_key.pub" | awk '{print $2}') + +# Clean up temp files +rm -rf "$TEMP_KEY_DIR" + +# Output all secrets in GitHub format +echo "# ============================================" +echo "# DATABASE SECRETS (2 secrets)" +echo "# ============================================" +echo "" +echo "STAGING_POSTGRES_PASSWORD" +echo "$POSTGRES_PASSWORD" +echo "" + +echo "# ============================================" +echo "# REDIS SECRETS (1 secret)" +echo "# ============================================" +echo "" +echo "STAGING_REDIS_PASSWORD" +echo "$REDIS_PASSWORD" +echo "" + +echo "# ============================================" +echo "# MANA CORE AUTH SECRETS (3 secrets)" +echo "# ============================================" +echo "" +echo "STAGING_JWT_SECRET" +echo "$JWT_SECRET" +echo "" +echo "STAGING_JWT_PUBLIC_KEY" +echo "$PUBLIC_KEY" +echo "" +echo "STAGING_JWT_PRIVATE_KEY" +echo "$PRIVATE_KEY" +echo "" + +echo "# ============================================" +echo "# SUPABASE SECRETS (Fill these manually - 3 secrets)" +echo "# ============================================" +echo "" +echo "STAGING_SUPABASE_URL" +echo "https://YOUR_PROJECT.supabase.co" +echo "" +echo "STAGING_SUPABASE_ANON_KEY" +echo "YOUR_SUPABASE_ANON_KEY_HERE" +echo "" +echo "STAGING_SUPABASE_SERVICE_ROLE_KEY" +echo "YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE" +echo "" + +echo "# ============================================" +echo "# AZURE OPENAI SECRETS (Fill these manually - 2 secrets)" +echo "# ============================================" +echo "" +echo "STAGING_AZURE_OPENAI_ENDPOINT" +echo "https://YOUR_RESOURCE.openai.azure.com/" +echo "" +echo "STAGING_AZURE_OPENAI_API_KEY" +echo "YOUR_AZURE_OPENAI_API_KEY_HERE" +echo "" + +echo "# ============================================" +echo "# SSH DEPLOYMENT SECRETS (Fill these manually - 1 secret)" +echo "# ============================================" +echo "" +echo "STAGING_SSH_KEY" +echo "Run: cat ~/.ssh/hetzner_deploy_key" +echo "(Copy the ENTIRE output including -----BEGIN and -----END lines)" +echo "" + +echo "================================================" +echo " SUMMARY" +echo "================================================" +echo "" +echo "Total secrets to add: 12" +echo " - Auto-generated: 6 (passwords, JWT keys)" +echo " - Manual: 6 (Supabase, Azure, SSH key)" +echo "" +echo "The following are now HARDCODED in the workflow:" +echo " - POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB, POSTGRES_USER" +echo " - REDIS_HOST, REDIS_PORT" +echo " - MANA_SERVICE_URL" +echo " - STAGING_HOST (46.224.108.214)" +echo " - STAGING_USER (deploy)" +echo "" +echo "================================================" +echo "" +echo "Next steps:" +echo "1. Go to: https://github.com/YOUR_ORG/manacore-monorepo/settings/secrets/actions" +echo "2. Click 'New repository secret' for each value above" +echo "3. Copy the secret name (e.g., STAGING_POSTGRES_PASSWORD)" +echo "4. Copy the secret value (the line below the name)" +echo "5. Fill in Supabase, Azure, and SSH key values manually" +echo "" diff --git a/scripts/get-ssh-key.sh b/scripts/get-ssh-key.sh new file mode 100755 index 000000000..865f1854f --- /dev/null +++ b/scripts/get-ssh-key.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Get SSH Private Key Content for GitHub Secret + +echo "================================================" +echo " SSH PRIVATE KEY FOR STAGING_SSH_KEY" +echo "================================================" +echo "" +echo "Copy the ENTIRE output below (including BEGIN and END lines):" +echo "" +echo "================================================" + +cat ~/.ssh/hetzner_deploy_key + +echo "================================================" +echo "" +echo "This is the value for: STAGING_SSH_KEY" +echo ""