From 710624f41795bf12f8e5e4f11fc81b61c3c0129d Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Sat, 28 Feb 2026 17:57:32 +0100
Subject: [PATCH] fix(supervisor): re-decrypt .env.prod.sops on tag deploy

git_pull_and_sync() was missing the sops decrypt step, so .env on the
server was never updated when secrets changed. Now decrypts after
checkout, before uv sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/padelnomics/supervisor.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/padelnomics/supervisor.py b/src/padelnomics/supervisor.py
index 005d3a5..735cf73 100644
--- a/src/padelnomics/supervisor.py
+++ b/src/padelnomics/supervisor.py
@@ -319,6 +319,7 @@ def git_pull_and_sync() -> None:
 
     logger.info("New tag %s available (current: %s) — deploying", latest, current)
     run_shell(f"git checkout --detach {latest}")
+    run_shell("sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env")
     run_shell("uv sync --all-packages")