fix: harden private test deployment workflow

.env.test.example

@@ -1,5 +1,5 @@
 DJANGO_SECRET_KEY=change-me-long-random-value
-DJANGO_DEBUG=0
+DJANGO_DEBUG=1
 DJANGO_ALLOWED_HOSTS=192.168.2.55,localhost,127.0.0.1
 DJANGO_CSRF_TRUSTED_ORIGINS=http://192.168.2.55:8088
 DJANGO_SECURE_COOKIES=0

.github/workflows/deploy-prod.yml

@@ -12,6 +12,23 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Upload release bundle
+        uses: appleboy/scp-action@v1.0.0
+        with:
+          host: ${{ secrets.PROD_DEPLOY_HOST }}
+          username: ${{ secrets.PROD_DEPLOY_USER }}
+          key: ${{ secrets.PROD_DEPLOY_SSH_KEY }}
+          port: ${{ secrets.PROD_DEPLOY_PORT || 22 }}
+          source: "."
+          target: ${{ secrets.PROD_DEPLOY_PATH }}
+          rm: false
+          overwrite: true
+          strip_components: 0
+          exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles"
+
       - name: Deploy over SSH
         uses: appleboy/ssh-action@v1.2.0
         with:
@@ -21,13 +38,6 @@ jobs:
           port: ${{ secrets.PROD_DEPLOY_PORT || 22 }}
           script: |
             set -e
-            REPO_URL="git@github.com:${{ github.repository }}.git"
             DEPLOY_DIR="${{ secrets.PROD_DEPLOY_PATH }}"
-            if [ ! -d "$DEPLOY_DIR/.git" ]; then
-              git clone "$REPO_URL" "$DEPLOY_DIR"
-            fi
             cd "$DEPLOY_DIR"
-            git fetch --all --prune
-            git checkout main || git checkout -b main origin/main
-            git reset --hard origin/main
             RUN_DJANGO_CHECK=1 ./scripts/deploy_stack.sh .env.prod docker-compose.prod.yml

.github/workflows/deploy-test.yml

@@ -15,6 +15,23 @@ jobs:
     runs-on: ubuntu-latest
     environment: development
     steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Upload release bundle
+        uses: appleboy/scp-action@v1.0.0
+        with:
+          host: ${{ secrets.TEST_DEPLOY_HOST }}
+          username: ${{ secrets.TEST_DEPLOY_USER }}
+          key: ${{ secrets.TEST_DEPLOY_SSH_KEY }}
+          port: ${{ secrets.TEST_DEPLOY_PORT || 22 }}
+          source: "."
+          target: ${{ secrets.TEST_DEPLOY_PATH }}
+          rm: false
+          overwrite: true
+          strip_components: 0
+          exclude: ".git,.github,.venv,__pycache__,node_modules,backend/media,backend/staticfiles"
+
       - name: Deploy over SSH
         uses: appleboy/ssh-action@v1.2.0
         with:
@@ -24,13 +41,6 @@ jobs:
           port: ${{ secrets.TEST_DEPLOY_PORT || 22 }}
           script: |
             set -e
-            REPO_URL="git@github.com:${{ github.repository }}.git"
             DEPLOY_DIR="${{ secrets.TEST_DEPLOY_PATH }}"
-            if [ ! -d "$DEPLOY_DIR/.git" ]; then
-              git clone "$REPO_URL" "$DEPLOY_DIR"
-            fi
             cd "$DEPLOY_DIR"
-            git fetch --all --prune
-            git checkout develop || git checkout -b develop origin/develop
-            git reset --hard ${{ github.sha }}
             RUN_DJANGO_CHECK=0 DEPLOY_HEALTH_URL="http://127.0.0.1:8088/healthz/" ./scripts/deploy_stack.sh .env.test docker-compose.prod.yml

scripts/deploy_stack.sh

@@ -15,6 +15,7 @@ fi
 
 "${COMPOSE[@]}" build web worker caddy
 "${COMPOSE[@]}" up -d db redis
+"${COMPOSE[@]}" run --rm --user root web sh -c "mkdir -p /app/media/pdfs /app/staticfiles /app/backups && chown -R app:app /app/media /app/staticfiles /app/backups"
 "${COMPOSE[@]}" run --rm web python manage.py migrate --noinput
 "${COMPOSE[@]}" run --rm web python manage.py bootstrap_initial_users
 "${COMPOSE[@]}" run --rm web python manage.py collectstatic --noinput