From 76dabef23d9e834ba1aa169b3d53d8f6223d6fb2 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 6 Jun 2026 13:47:42 +0200
Subject: [PATCH] ci(deploy): self-install on a blank host via clone-if-absent
 [skip ci]

Mirror played/workflows build-deploy-game.yml so a freshly provisioned
unom-1 box self-installs the website repo on first deploy instead of
failing on a missing ~/unom-website checkout.

Before `cd ~/unom-website` the remote ssh script now:
  - installs git if absent (deploy user has NOPASSWD sudo)
  - clones the repo if ~/unom-website/.git is missing, reusing the
    existing REGISTRY_USER / REGISTRY_TOKEN secrets

Registry creds are passed into the remote shell via appleboy/ssh-action
`envs:` and consumed from the environment (docker login now uses
--password-stdin), so the token is never interpolated into the script
text / run log / process args.

Refs task #27.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 74bb52b..1c3437b 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -74,13 +74,27 @@ jobs:
     steps:
       - name: Pull and start web
         uses: appleboy/ssh-action@v1.2.5
+        env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
         with:
           host: ${{ secrets.DEPLOY_HOST }}
           username: ${{ secrets.DEPLOY_USER }}
           port: ${{ secrets.DEPLOY_PORT }}
           key: ${{ secrets.DEPLOY_SSH_KEY }}
+          # Pass the registry creds into the remote shell's environment so the
+          # `docker login`, the clone-if-absent, and the git pull below can all
+          # reuse them WITHOUT ever interpolating the token into the script text
+          # (which would land it in the run log / process args).
+          envs: REGISTRY_USER,REGISTRY_TOKEN
           script: |
-            docker login git.unom.io -u ${{ secrets.REGISTRY_USER }} -p ${{ secrets.REGISTRY_TOKEN }}
+            set -euo pipefail
+            printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
+            # Self-install on a blank host: make sure git exists, then clone the
+            # repo if it isn't already checked out (mirrors played/workflows
+            # build-deploy-game.yml). The deploy user has NOPASSWD sudo.
+            command -v git >/dev/null 2>&1 || { sudo apt-get update -qq && sudo apt-get install -y git; }
+            [ -d "$HOME/unom-website/.git" ] || git clone "https://${REGISTRY_USER}:${REGISTRY_TOKEN}@git.unom.io/unom/website.git" "$HOME/unom-website"
             cd ~/unom-website
             git fetch origin main
             git reset --hard origin/main