From 7b0cd16064af17154c384566a63a675ecf5bda8b Mon Sep 17 00:00:00 2001
From: Julian Tabel <juliantabel.jt@gmail.com>
Date: Sat, 21 Mar 2026 12:17:59 +0100
Subject: [PATCH] feat: write production .env from Gitea secrets during deploy

Instead of relying on a pre-existing .env file on the server, the
deploy workflow now writes POSTGRES_PASSWORD and SUPABASE_JWT_SECRET
from Gitea secrets. This keeps all secret management in one place.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 415d5f1..c46ab43 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -44,6 +44,12 @@ jobs:
           SCP_CMD="scp -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key"
           DEPLOY_DIR="/mnt/user/appdata/nuzlocke-tracker"
 
+          # Write .env from secrets (overwrites any existing file)
+          printf '%s\n' \
+            "POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}" \
+            "SUPABASE_JWT_SECRET=${{ secrets.SUPABASE_JWT_SECRET }}" \
+          | $SSH_CMD "cat > '${DEPLOY_DIR}/.env'"
+
           $SCP_CMD docker-compose.prod.yml "root@192.168.1.10:${DEPLOY_DIR}/docker-compose.yml"
           $SCP_CMD backup.sh "root@192.168.1.10:${DEPLOY_DIR}/backup.sh"
           $SSH_CMD "chmod +x '${DEPLOY_DIR}/backup.sh'"