fix(supervisor): re-decrypt .env.prod.sops on tag deploy

git_pull_and_sync() was missing the sops decrypt step, so .env on the server was never updated when secrets changed. Now decrypts after checkout, before uv sync. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 17:57:32 +01:00
1 changed files with 1 additions and 0 deletions
--- a/src/padelnomics/supervisor.py
+++ b/src/padelnomics/supervisor.py
@@ -319,6 +319,7 @@ def git_pull_and_sync() -> None:

    logger.info("New tag %s available (current: %s) — deploying", latest, current)
    run_shell(f"git checkout --detach {latest}")
+    run_shell("sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env")
    run_shell("uv sync --all-packages")