Skip to content

Commit a8e7ebf

Browse files
baijumclaude
andcommitted
fix: inject per-app credentials into deploy/.env during deploy
The deploy workflow sourced per-app credentials but never wrote them into deploy/.env, so the container never received them. Now sed patches DATABASE_URL, S3_ACCESS_KEY, S3_SECRET_KEY, and S3_BUCKET after sourcing the credentials file. Also updates env.template to reflect per-app pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 264e3b0 commit a8e7ebf

2 files changed

Lines changed: 24 additions & 4 deletions

File tree

.github/workflows/deploy.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,25 @@ jobs:
4444
|| docker compose -f /opt/platform/docker-compose.yml exec -T postgres \
4545
psql -U postgres -c "CREATE DATABASE ${APP_DB}"
4646
47+
# Source per-app credentials and update deploy/.env if available
48+
CREDENTIALS_FILE="/opt/platform/credentials/${APP_NAME}.env"
49+
if [ -f "$CREDENTIALS_FILE" ]; then
50+
echo "Using per-app credentials from $CREDENTIALS_FILE"
51+
source "$CREDENTIALS_FILE"
52+
# Update DATABASE_URL with per-app user credentials
53+
sed -i "s|^DATABASE_URL=.*|DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@postgres:5432/${APP_DB}|" deploy/.env
54+
# Update S3 credentials with per-app MinIO user
55+
sed -i "s|^S3_ACCESS_KEY=.*|S3_ACCESS_KEY=${S3_ACCESS_KEY}|" deploy/.env
56+
sed -i "s|^S3_SECRET_KEY=.*|S3_SECRET_KEY=${S3_SECRET_KEY}|" deploy/.env
57+
# Update S3 bucket name
58+
sed -i "s|^S3_BUCKET=.*|S3_BUCKET=${APP_NAME}-uploads|" deploy/.env
59+
echo "deploy/.env updated with per-app credentials"
60+
else
61+
echo "WARNING: Per-app credentials not found at $CREDENTIALS_FILE"
62+
echo "Run create-app-credentials.sh ${APP_NAME} for isolated credentials."
63+
echo "Falling back to existing deploy/.env credentials."
64+
fi
65+
4766
# Build and start app containers (project name = app name for predictable container names)
4867
docker compose -p ${APP_NAME} -f deploy/docker-compose.yml up -d --build
4968

deploy/env.template

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
# Copy this file to .env and fill in real values before first deploy.
2-
# Credentials come from /opt/platform/.env on the server.
2+
# Per-app credentials are generated by create-app-credentials.sh on the server.
3+
# See /opt/platform/credentials/<app-name>.env for generated values.
34

45
APP_DOMAIN=app.example.com
5-
DATABASE_URL=postgresql://postgres:<password>@postgres:5432/<app_name>_db
6+
DATABASE_URL=postgresql://<app_name>_user:<app_password>@postgres:5432/<app_name>_db
67
REDIS_URL=redis://redis:6379
78
S3_ENDPOINT=http://minio:9000
89
S3_BUCKET=<app_name>-uploads
9-
S3_ACCESS_KEY=<minio_root_user>
10-
S3_SECRET_KEY=<minio_root_password>
10+
S3_ACCESS_KEY=<app-name>-user
11+
S3_SECRET_KEY=<app_s3_password>

0 commit comments

Comments
 (0)