From eb82e02c83ae10bc5b31d8c3bb8e57f0a208cd02 Mon Sep 17 00:00:00 2001
From: senke <okin.tcs@gmail.com>
Date: Sun, 22 Feb 2026 17:23:43 +0100
Subject: [PATCH] fix(ci): repair CD pipeline -- use vars.* instead of
 secrets.* in if conditions, target Dockerfile.production

---
 .github/workflows/cd.yml | 65 +++++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 893d3d626..61bfe1c39 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -15,11 +15,10 @@ on:
           - production
 
 jobs:
-  deploy:
-    name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
+  build:
+    name: Build and push images
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
-    environment: ${{ github.event.inputs.environment || 'staging' }}
     
     steps:
       - uses: actions/checkout@v4
@@ -31,21 +30,16 @@ jobs:
       # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza
       - name: Build Backend Docker Image
         run: |
-          cd veza-backend-api
-          docker build -t veza-backend-api:${{ github.sha }} .
+          docker build -t veza-backend-api:${{ github.sha }} -f veza-backend-api/Dockerfile.production veza-backend-api/
 
       - name: Build Frontend Docker Image
         run: |
-          cd apps/web
-          docker build -t veza-frontend:${{ github.sha }} .
+          docker build -t veza-frontend:${{ github.sha }} -f apps/web/Dockerfile.production apps/web/
 
       - name: Build Rust Services Docker Images
         run: |
-          cd veza-chat-server
-          docker build -t veza-chat-server:${{ github.sha }} .
-          
-          cd ../veza-stream-server
-          docker build -t veza-stream-server:${{ github.sha }} .
+          docker build -t veza-chat-server:${{ github.sha }} -f veza-chat-server/Dockerfile.production veza-chat-server/
+          docker build -t veza-stream-server:${{ github.sha }} -f veza-stream-server/Dockerfile.production veza-stream-server/
 
       - name: Trivy vulnerability scan
         uses: aquasecurity/trivy-action@0.28.0
@@ -92,41 +86,56 @@ jobs:
           path: sbom/
 
       - name: Push Images to Registry
-        if: ${{ secrets.DOCKER_REGISTRY != '' }}
+        if: vars.DOCKER_REGISTRY != ''
         run: |
-          echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ secrets.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
+          echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ vars.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
           for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
-            docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
-            docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
-            docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
-            docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
+            docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
+            docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
+            docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
+            docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
           done
 
       - name: Install cosign
-        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
+        if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
         uses: sigstore/cosign-installer@v3
         with:
           cosign-release: 'v2.2.0'
       - name: Sign images with cosign
-        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
+        if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
         run: |
           for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
-            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
-            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
+            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
+            cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
           done
 
+      - name: Build Summary
+        run: |
+          echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+
+  deploy:
+    name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    environment: ${{ github.event.inputs.environment || 'staging' }}
+    steps:
       - name: Deploy to Kubernetes
-        if: ${{ secrets.KUBE_CONFIG != '' }}
+        if: vars.KUBE_CONFIG_SET == 'true'
         run: |
           KUBECONFIG="${{ runner.temp }}/kubeconfig"
           echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG"
           chmod 600 "$KUBECONFIG"
           export KUBECONFIG
           for svc in veza-backend-api veza-chat-server veza-stream-server; do
-            kubectl set image "deployment/${svc}" "${svc}=${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
+            kubectl set image "deployment/${svc}" "${svc}=${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
               -n veza --record || echo "Skipping ${svc} (deployment not found)"
           done
           kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true
@@ -135,17 +144,13 @@ jobs:
       - name: Deployment Summary
         run: |
           echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
-          echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
-          echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
-          echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
-          echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
           echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY
 
   smoke-post-deploy:
     name: Smoke tests post-deploy
     runs-on: ubuntu-latest
     needs: deploy
-    if: ${{ secrets.STAGING_URL != '' || vars.STAGING_URL != '' }}
+    if: vars.STAGING_URL != ''
     steps:
       - uses: actions/checkout@v4
 
@@ -163,7 +168,7 @@ jobs:
 
       - name: Run smoke tests
         env:
-          PLAYWRIGHT_BASE_URL: ${{ secrets.STAGING_URL || vars.STAGING_URL }}
+          PLAYWRIGHT_BASE_URL: ${{ vars.STAGING_URL }}
         run: |
           cd apps/web
           npx playwright test --config=playwright.config.smoke.ts