fix: production deployment — Docker, Nomad, Consul KV, SHA tags

- Dockerfile: multi-stage build, non-root user, src/static tracked with .gitkeep - Nomad job: force_pull=true, Traefik router fixed to tink-demo.i80.dk, loadbalancer.server.port=8000, job renamed from moneycapp-tink-demo - CI/CD: git SHA image tags (deterministic deploys), removed .env.production baking — secrets injected at runtime via Consul KV template stanza - Session security: asyncio lock prevents duplicate code exchange on callback, guard for already-stored token, api_log moved server-side (cookie overflow fix) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-23 02:08:27 +02:00
parent ab591be464
commit bf61790465
6 changed files with 90 additions and 55 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -7,7 +7,7 @@ on:

 env:
  SERVICE_NAME: moneycapp-tink-demo
-  IMAGE: registry.i80.dk/gitea/moneycapp-tink-demo
+  IMAGE: registry.i80.dk/gitea/tink-demo

 jobs:
  deploy:
@@ -25,28 +25,19 @@ jobs:
        run: |
          echo "${{ secrets.HARBOR_ROBOT_TOKEN }}" | docker login registry.i80.dk -u "robot\$gitserver" --password-stdin

-      - name: Write production env
-        run: |
-          cat > .env.production << 'ENVEOF'
-          TINK_CLIENT_ID=${{ secrets.TINK_CLIENT_ID }}
-          TINK_CLIENT_SECRET=${{ secrets.TINK_CLIENT_SECRET }}
-          TINK_REDIRECT_URI=https://tink-demo.i80.dk/callback
-          APP_BASE_URL=https://tink-demo.i80.dk
-          DEMO_MODE=false
-          ENVEOF
-          # Strip leading spaces
-          sed -i 's/^[[:space:]]*//' .env.production
-
      - name: Build and push image
        run: |
-          docker build -t ${IMAGE}:latest .
+          SHA=$(echo "$GITHUB_SHA" | cut -c1-8)
+          docker build -t ${IMAGE}:${SHA} -t ${IMAGE}:latest .
+          docker push ${IMAGE}:${SHA}
          docker push ${IMAGE}:latest
+          echo "IMAGE_TAG=${SHA}" >> $GITHUB_ENV

      - name: Validate Nomad job
-        run: nomad job validate ${SERVICE_NAME}.nomad
+        run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job validate -

      - name: Deploy to Nomad
-        run: nomad job run ${SERVICE_NAME}.nomad
+        run: sed "s|:latest|:${IMAGE_TAG}|g" ${SERVICE_NAME}.nomad | nomad job run -

      - name: Health check
        run: |