From 944131535ecc0898b4312f613294f74533564cba Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Mon, 23 Feb 2026 17:04:41 +0100
Subject: [PATCH] =?UTF-8?q?refactor:=20remove=20CI=20heredoc=20=E2=80=94?=
 =?UTF-8?q?=20secrets=20now=20in=20encrypted=20sops=20files?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

deploy.sh handles decryption on the server. CI only needs SSH credentials
(SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, DEPLOY_USER, DEPLOY_HOST). All app
secrets removed from GitLab CI variables. Dead ADMIN_PASSWORD removed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitlab-ci.yml | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7598307..79e08f4 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -29,32 +29,4 @@ deploy:
     - chmod 700 ~/.ssh
     - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
   script:
-    - |
-      ssh "$DEPLOY_USER@$DEPLOY_HOST" "cat > /opt/padelnomics/.env" << ENVEOF
-      APP_NAME=$APP_NAME
-      SECRET_KEY=$SECRET_KEY
-      BASE_URL=$BASE_URL
-      DEBUG=false
-      ADMIN_PASSWORD=$ADMIN_PASSWORD
-      DATABASE_PATH=data/app.db
-      MAGIC_LINK_EXPIRY_MINUTES=${MAGIC_LINK_EXPIRY_MINUTES:-15}
-      SESSION_LIFETIME_DAYS=${SESSION_LIFETIME_DAYS:-30}
-      RESEND_API_KEY=$RESEND_API_KEY
-      EMAIL_FROM=${EMAIL_FROM:-hello@notifications.padelnomics.io}
-      ADMIN_EMAILS=${ADMIN_EMAILS:-}
-      LEADS_EMAIL=${LEADS_EMAIL:-}
-      UMAMI_API_URL=${UMAMI_API_URL:-}
-      WAITLIST_MODE=${WAITLIST_MODE:-false}
-      RATE_LIMIT_REQUESTS=${RATE_LIMIT_REQUESTS:-100}
-      RATE_LIMIT_WINDOW=${RATE_LIMIT_WINDOW:-60}
-      PADDLE_API_KEY=${PADDLE_API_KEY:-}
-      PADDLE_WEBHOOK_SECRET=${PADDLE_WEBHOOK_SECRET:-}
-      PADDLE_PRICE_STARTER=${PADDLE_PRICE_STARTER:-}
-      PADDLE_PRICE_PRO=${PADDLE_PRICE_PRO:-}
-      LITESTREAM_R2_BUCKET=$LITESTREAM_R2_BUCKET
-      LITESTREAM_R2_ACCESS_KEY_ID=$LITESTREAM_R2_ACCESS_KEY_ID
-      LITESTREAM_R2_SECRET_ACCESS_KEY=$LITESTREAM_R2_SECRET_ACCESS_KEY
-      LITESTREAM_R2_ENDPOINT=$LITESTREAM_R2_ENDPOINT
-      ENVEOF
-    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/padelnomics/.env"
     - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/padelnomics && git pull origin master && ./deploy.sh"