From 73b178fa2cef46fd44231eb406174b59f8683c47 Mon Sep 17 00:00:00 2001
From: Frank John Begornia <frank.begornia@yahoo.com>
Date: Tue, 16 Dec 2025 14:24:11 +0800
Subject: [PATCH] Enhance deployment workflow by adding SSH setup and secret
 validation checks for improved security and reliability

---
 .gitea/workflows/deploy-dev.yml | 45 ++++++++++++++++++++++++---------
 1 file changed, 33 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/deploy-dev.yml b/.gitea/workflows/deploy-dev.yml
index b39517c..5ea9f71 100644
--- a/.gitea/workflows/deploy-dev.yml
+++ b/.gitea/workflows/deploy-dev.yml
@@ -28,6 +28,7 @@ jobs:
           docker build -t merchbay_admin:dev .
           docker save merchbay_admin:dev | gzip > merchbay_admin_dev.tar.gz
 
+      # 🔍 SAFE SECRET DEBUG (TEMPORARY – REMOVE LATER)
       - name: Debug secrets (safe)
         shell: sh
         run: |
@@ -35,32 +36,52 @@ jobs:
 
           if [ -z "${DEPLOY_SSH_KEY}" ]; then
             echo "❌ DEPLOY_SSH_KEY is EMPTY or NOT SET"
+            exit 1
           else
             echo "✅ DEPLOY_SSH_KEY is SET"
             echo "Length: ${#DEPLOY_SSH_KEY}"
-            echo "First line:"
             echo "${DEPLOY_SSH_KEY}" | head -n 1
-            echo "Last line:"
             echo "${DEPLOY_SSH_KEY}" | tail -n 1
           fi
 
-          if [ -z "${DEPLOY_USER}" ]; then
-            echo "❌ DEPLOY_USER is EMPTY"
-          else
-            echo "✅ DEPLOY_USER = ${DEPLOY_USER}"
-          fi
+          [ -z "${DEPLOY_USER}" ] && echo "❌ DEPLOY_USER EMPTY" && exit 1
+          [ -z "${DEPLOY_HOST}" ] && echo "❌ DEPLOY_HOST EMPTY" && exit 1
 
-          if [ -z "${DEPLOY_HOST}" ]; then
-            echo "❌ DEPLOY_HOST is EMPTY"
-          else
-            echo "✅ DEPLOY_HOST = ${DEPLOY_HOST}"
-          fi
+          echo "DEPLOY_USER=${DEPLOY_USER}"
+          echo "DEPLOY_HOST=${DEPLOY_HOST}"
         env:
           DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
 
+      # 🔐 REQUIRED STEP (THIS WAS MISSING)
+      - name: Setup SSH
+        shell: sh
+        run: |
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
 
+          echo "${DEPLOY_SSH_KEY}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+          ssh-keyscan -H ${DEPLOY_HOST} >> ~/.ssh/known_hosts
+
+          echo "SSH files:"
+          ls -l ~/.ssh
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+
+      # 🧪 OPTIONAL BUT HIGHLY RECOMMENDED (run once)
+      - name: SSH sanity check
+        shell: sh
+        run: |
+          ssh -i ~/.ssh/id_ed25519 ${DEPLOY_USER}@${DEPLOY_HOST} "whoami"
+        env:
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+
+      # 🚀 DEPLOY
       - name: Deploy to Server
         shell: sh
         run: |