bos55-nix-config-cicd/.github/workflows/deploy.yml

name: Deploy

on:
  push:
    branches:
      - main
      - 'test-*'
  workflow_dispatch:
    inputs:
      mode:
        description: 'Activation mode (switch, boot, test)'
        default: 'switch'
        required: true

jobs:
  deploy:
    runs-on: ubuntu-latest
    container: catthehacker/ubuntu:act-24.04
    steps:
      - uses: actions/checkout@v4

      - name: Install Nix
        uses: cachix/install-nix-action@v27
        with:
          extra_nix_config: |
            experimental-features = nix-command flakes

      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H 192.168.0.0/24 >> ~/.ssh/known_hosts || true
          # Disable strict host key checking for the local network if needed, 
          # or rely on known_hosts. For homelab, we can be slightly more relaxed 
          # but let's try to be secure.
          echo "StrictHostKeyChecking no" >> ~/.ssh/config

      - name: Verify Commit Signature
        if: github.event.sender.login != 'renovate[bot]'
        run: |
          # TODO Hugo: Export your public GPG/SSH signing keys to a runner secret named 'TRUSTED_SIGNERS'.
          # For GPG: gpg --export --armor <id> | base64 -w0
          
          if [ -z "${{ secrets.TRUSTED_SIGNERS }}" ]; then
            echo "::error::TRUSTED_SIGNERS secret is missing. Deployment aborted for safety."
            exit 1
          fi
          
          # Implementation note: This step expects a keyring in the TRUSTED_SIGNERS secret.
          # We use git to verify the signature of the current commit.
          echo "${{ secrets.TRUSTED_SIGNERS }}" | base64 -d > /tmp/trusted_keys.gpg
          gpg --import /tmp/trusted_keys.gpg
          
          if ! git verify-commit HEAD; then
            echo "::error::Commit signature verification failed. Only signed commits from trusted maintainers can be deployed."
            exit 1
          fi
          echo "Commit signature verified successfully."

      - name: Install deploy-rs
        run: nix profile install github:serokell/deploy-rs

      - name: Deploy to hosts
        run: |
          # Determine profile based on branch
          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            # Main site: persistent deployment
            deploy . --skip-checks --targets $(deploy . --list | grep '.system$' | tr '\n' ' ')
          elif [[ "${{ github.ref }}" == "refs/heads/test-"* ]]; then
            # Test branch: non-persistent deployment (test profile)
            # The branch name should be test-<hostname>
            HOSTNAME="${GITHUB_REF#refs/heads/test-}"
            deploy .#${HOSTNAME}.test --skip-checks
          fi

      - name: Manual Deploy
        if: github.event_name == 'workflow_dispatch'
        run: |
          # TODO: Implement manual dispatch logic if needed
          deploy . --skip-checks