#!/usr/bin/env bash set -euo pipefail repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" tmp_root="$(mktemp -d)" cleanup() { rm -rf "$tmp_root" } trap cleanup EXIT INT TERM assert_contains() { local file="$1" local pattern="$2" if ! grep -Fq "$pattern" "$file"; then printf 'missing pattern in %s: %s\n' "$file" "$pattern" >&2 exit 1 fi } assert_env_value() { local file="$1" local key="$2" local expected="$3" if ! grep -Fxq "${key}=${expected}" "$file"; then printf 'missing env value in %s: %s=%s\n' "$file" "$key" "$expected" >&2 exit 1 fi } for workflow in \ "$repo_root/.gitea/workflows/staging_image_deploy.yml" \ "$repo_root/.gitea/workflows/production_image_deploy.yml" do assert_contains "$workflow" "IMAGE_DEPLOY_BACKEND_LOG_LEVEL:" assert_contains "$workflow" "IMAGE_DEPLOY_CLIENT_LOG_DEBUG:" assert_contains "$workflow" "WORKS_ADMIN_API_BASE_URL:" assert_contains "$workflow" "WORKS_ADMIN_OAUTH_TOKEN_URL:" assert_contains "$workflow" "PROFILE_CACHE_TTL:" assert_contains "$workflow" "NAVER_CLOUD_ACCESS_KEY:" assert_contains "$workflow" "NAVER_CLOUD_SECRET_KEY:" assert_contains "$workflow" "NAVER_CLOUD_SERVICE_ID:" assert_contains "$workflow" "NAVER_SENDER_PHONE_NUMBER:" assert_contains "$workflow" "AWS_REGION:" assert_contains "$workflow" "AWS_ACCESS_KEY_ID:" assert_contains "$workflow" "AWS_SECRET_ACCESS_KEY:" assert_contains "$workflow" "AWS_SES_SENDER:" assert_contains "$workflow" "CORS_ALLOWED_ORIGINS:" assert_contains "$workflow" "OATHKEEPER_API_URL:" done assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_SSH_PRIVATE_KEY" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_USERFRONT_URL" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_BACKEND_URL" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "vars.STG_WORKS_ADMIN_API_BASE_URL" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_NAVER_CLOUD_SECRET_KEY" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_AWS_SECRET_ACCESS_KEY" assert_contains "$repo_root/.gitea/workflows/staging_image_deploy.yml" "secrets.STG_CLICKHOUSE_PASSWORD" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_SSH_PRIVATE_KEY" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_FRONTEND_URL" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_BACKEND_URL" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "vars.PROD_WORKS_ADMIN_API_BASE_URL" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_NAVER_CLOUD_SECRET_KEY" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_AWS_SECRET_ACCESS_KEY" assert_contains "$repo_root/.gitea/workflows/production_image_deploy.yml" "secrets.PROD_CLICKHOUSE_PASSWORD" bundle_dir="$tmp_root/stage-image-deploy-bundle" bundle_file="$tmp_root/stage-image-deploy-bundle.tgz" ( cd "$repo_root" IMAGE_TAG=v1.2606.ab12 \ IMAGE_DEPLOY_ENV=stage \ IMAGE_DEPLOY_INSTANCE_NAME=stage-test \ IMAGE_DEPLOY_PORT_PREFIX=19 \ IMAGE_DEPLOY_PUBLIC_URL=https://sso.example.test \ IMAGE_DEPLOY_COMPOSE_TEMPLATE=deploy/templates/docker-compose.images.yaml \ IMAGE_DEPLOY_BUNDLE_DIR="$bundle_dir" \ IMAGE_DEPLOY_BUNDLE_FILE="$bundle_file" \ ADMINFRONT_URL=https://sadmin.example.test \ DEVFRONT_URL=https://sdev.example.test \ ORGFRONT_URL=https://sorg.example.test \ VITE_OIDC_AUTHORITY=https://sso.example.test/oidc \ IMAGE_DEPLOY_DB_PORT=15432 \ IMAGE_DEPLOY_REDIS_PORT=16379 \ IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP=18123 \ IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE=19000 \ IMAGE_DEPLOY_BACKEND_PORT=13000 \ IMAGE_DEPLOY_FRONTEND_PORT=15000 \ ADMINFRONT_PORT=15173 \ DEVFRONT_PORT=15174 \ ORGFRONT_PORT=15175 \ IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT=14455 \ IMAGE_DEPLOY_DOMAIN_SUFFIX=example.test \ ADMINFRONT_CALLBACK_URLS=https://sadmin.example.test/auth/callback \ DEVFRONT_CALLBACK_URLS=https://sdev.example.test/auth/callback \ ORGFRONT_CALLBACK_URLS=https://sorg.example.test/auth/callback \ HYDRA_REFRESH_TOKEN_TTL=720h \ ORY_POSTGRES_USER=ory \ ORY_POSTGRES_DB=ory \ KRATOS_DB=ory_kratos \ HYDRA_DB=ory_hydra \ KETO_DB=ory_keto \ KRATOS_VERSION=v26.2.0-distroless \ HYDRA_VERSION=v26.2.0-distroless \ KETO_VERSION=v26.2.0-distroless \ OATHKEEPER_VERSION=v26.2.0 \ ORY_POSTGRES_TAG=17-trixie \ OATHKEEPER_UID=1001 \ OATHKEEPER_GID=1001 \ OATHKEEPER_INTROSPECT_CLIENT_ID=oathkeeper-introspect \ ADMIN_EMAIL=admin@example.test \ HARBOR_HOSTNAME=reg.example.test \ BACKEND_IMAGE_NAME=reg.example.test/baron_sso/backend \ USERFRONT_IMAGE_NAME=reg.example.test/baron_sso/userfront \ ADMINFRONT_IMAGE_NAME=reg.example.test/baron_sso/adminfront \ DEVFRONT_IMAGE_NAME=reg.example.test/baron_sso/devfront \ ORGFRONT_IMAGE_NAME=reg.example.test/baron_sso/orgfront \ IMAGE_DEPLOY_DB_PASSWORD=db-secret \ IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD=ory-secret \ IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET=oathkeeper-secret \ IMAGE_DEPLOY_CLICKHOUSE_PASSWORD=clickhouse-secret \ IMAGE_DEPLOY_COOKIE_SECRET=cookie-secret \ IMAGE_DEPLOY_JWT_SECRET=jwt-secret \ IMAGE_DEPLOY_CSRF_COOKIE_SECRET=csrf-secret \ IMAGE_DEPLOY_ADMIN_PASSWORD=admin-secret \ IMAGE_DEPLOY_BACKEND_LOG_LEVEL=debug \ IMAGE_DEPLOY_CLIENT_LOG_DEBUG=true \ WORKS_ADMIN_API_BASE_URL=https://works-api.example.test \ WORKS_ADMIN_OAUTH_TOKEN_URL=https://works-auth.example.test/token \ PROFILE_CACHE_TTL=30m \ NAVER_CLOUD_ACCESS_KEY=naver-access \ NAVER_CLOUD_SECRET_KEY=naver-secret \ NAVER_CLOUD_SERVICE_ID=naver-service \ NAVER_SENDER_PHONE_NUMBER=021234567 \ AWS_REGION=ap-northeast-2 \ AWS_ACCESS_KEY_ID=aws-access \ AWS_SECRET_ACCESS_KEY=aws-secret \ AWS_SES_SENDER=support@example.test \ CORS_ALLOWED_ORIGINS=https://sso.example.test \ OATHKEEPER_API_URL=http://oathkeeper:4456 \ CLICKHOUSE_HOST=clickhouse \ CLICKHOUSE_USER=baron \ scripts/deploy/build_image_deploy_bundle.sh >/dev/null ) env_file="$bundle_dir/.env" assert_env_value "$env_file" "BACKEND_LOG_LEVEL" "debug" assert_env_value "$env_file" "CLIENT_LOG_DEBUG" "true" assert_env_value "$env_file" "WORKS_ADMIN_API_BASE_URL" "https://works-api.example.test" assert_env_value "$env_file" "WORKS_ADMIN_OAUTH_TOKEN_URL" "https://works-auth.example.test/token" assert_env_value "$env_file" "PROFILE_CACHE_TTL" "30m" assert_env_value "$env_file" "NAVER_CLOUD_ACCESS_KEY" "naver-access" assert_env_value "$env_file" "NAVER_CLOUD_SECRET_KEY" "naver-secret" assert_env_value "$env_file" "NAVER_CLOUD_SERVICE_ID" "naver-service" assert_env_value "$env_file" "NAVER_SENDER_PHONE_NUMBER" "021234567" assert_env_value "$env_file" "AWS_REGION" "ap-northeast-2" assert_env_value "$env_file" "AWS_ACCESS_KEY_ID" "aws-access" assert_env_value "$env_file" "AWS_SECRET_ACCESS_KEY" "aws-secret" assert_env_value "$env_file" "AWS_SES_SENDER" "support@example.test" assert_env_value "$env_file" "CORS_ALLOWED_ORIGINS" "https://sso.example.test" assert_env_value "$env_file" "BACKEND_PUBLIC_URL" "https://sso.example.test" assert_env_value "$env_file" "BACKEND_URL" "https://sso.example.test" assert_env_value "$env_file" "OATHKEEPER_API_URL" "http://oathkeeper:4456" assert_env_value "$env_file" "CLICKHOUSE_HOST" "clickhouse" assert_env_value "$env_file" "CLICKHOUSE_USER" "baron" echo "image deploy env override checks passed"