From def21a220de12d36a051b275fc1dfd5df1a91fa6 Mon Sep 17 00:00:00 2001
From: chahinebrini <chahinebrini@gmail.com>
Date: Thu, 7 May 2026 20:32:34 +0200
Subject: [PATCH] refactor(deploy-staging): HETZNER_HOST/USER von secrets zu
 vars
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hostname (staging.rebreak.org) und User (root) sind keine echten Secrets —
public DNS bzw. in Doku schon erwähnt. Variables sichtbar in Logs erleichtert
Debug (siehe DNS-Fail mit "getaddrinfo ***" — bei vars wäre der konkrete
Wert lesbar gewesen).

Aufteilung jetzt:
- HETZNER_SSH_KEY → secret (sensitive: Server-Root-Zugang)
- HETZNER_HOST    → var (public DNS)
- HETZNER_USER    → var (in Doku)

Plus echo des Host-Werts in Setup-SSH-Step für Debug-Visibility.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy-staging.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 8dc8c3f..cb14b11 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -82,12 +82,13 @@ jobs:
       - name: Setup SSH
         env:
           SSH_PRIVATE_KEY: ${{ secrets.HETZNER_SSH_KEY }}
-          SSH_HOST: ${{ secrets.HETZNER_HOST }}
+          SSH_HOST: ${{ vars.HETZNER_HOST }}
         run: |
           if [ -z "$SSH_PRIVATE_KEY" ] || [ -z "$SSH_HOST" ]; then
-            echo "FATAL: HETZNER_SSH_KEY oder HETZNER_HOST nicht gesetzt"
+            echo "FATAL: HETZNER_SSH_KEY (secret) oder HETZNER_HOST (var) nicht gesetzt"
             exit 1
           fi
+          echo "Deploying to host: $SSH_HOST"
           mkdir -p ~/.ssh
           printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
@@ -95,16 +96,16 @@ jobs:
 
       - name: Upload artifact zu Hetzner
         env:
-          SSH_HOST: ${{ secrets.HETZNER_HOST }}
-          SSH_USER: ${{ secrets.HETZNER_USER }}
+          SSH_HOST: ${{ vars.HETZNER_HOST }}
+          SSH_USER: ${{ vars.HETZNER_USER }}
         run: |
           scp -i ~/.ssh/id_ed25519 backend-output.tar.gz \
             "$SSH_USER@$SSH_HOST:/srv/rebreak/backend/.output-incoming.tar.gz"
 
       - name: Server-side deploy (extract + migrate + pm2 restart)
         env:
-          SSH_HOST: ${{ secrets.HETZNER_HOST }}
-          SSH_USER: ${{ secrets.HETZNER_USER }}
+          SSH_HOST: ${{ vars.HETZNER_HOST }}
+          SSH_USER: ${{ vars.HETZNER_USER }}
         run: |
           ssh -i ~/.ssh/id_ed25519 "$SSH_USER@$SSH_HOST" \
             'bash /srv/rebreak/scripts/deploy-from-artifact.sh'