feat: no-root deploy, remove CI deploy stage, deploy alerts

- deploy.sh installs sops/age to ./bin/ (no root/sudo needed) - Remove CI deploy stage — supervisor auto-pulls and deploys (zero CI secrets: no SSH keys, no deploy credentials) - Supervisor sends alert on deploy success/failure via webhook Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 18:23:19 +01:00
parent e4bd9378f5
commit 8558fd6b40
4 changed files with 22 additions and 26 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,5 @@
 stages:
  - test
-  - deploy

 test:
  stage: test
@@ -15,18 +14,6 @@ test:
    - if: $CI_COMMIT_BRANCH == "master"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

-deploy:
-  stage: deploy
-  image: alpine:latest
-  needs: [test]
-  rules:
-    - if: $CI_COMMIT_BRANCH == "master"
-  before_script:
-    - apk add --no-cache openssh-client
-    - eval $(ssh-agent -s)
-    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
-    - mkdir -p ~/.ssh
-    - chmod 700 ~/.ssh
-    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
-  script:
-    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/padelnomics && git pull origin master && ./deploy.sh"
+# Deployment is handled by the on-server supervisor (src/padelnomics/supervisor.py).
+# It polls git every 60s, detects code changes, and runs deploy.sh automatically.
+# No CI secrets needed — zero SSH keys, zero deploy credentials.