From e7659a4615127782c17bbe4aa2519b17825ed44a Mon Sep 17 00:00:00 2001
From: SysAdmin <sysadmin@silverlabs.uk>
Date: Mon, 17 Nov 2025 13:51:36 +0000
Subject: [PATCH] fix: Switch from HTTPS token to SSH key authentication for
 git clone

---
 .gitea/workflows/build-and-deploy.yml | 42 +++++++++++++++++----------
 1 file changed, 26 insertions(+), 16 deletions(-)

diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml
index 948b5c0..d8776d8 100644
--- a/.gitea/workflows/build-and-deploy.yml
+++ b/.gitea/workflows/build-and-deploy.yml
@@ -187,41 +187,51 @@ jobs:
 
       - name: Deploy to CT109
         run: |
-          ssh -i ~/.ssh/deploy_key -p ${{ secrets.CT109_SSH_PORT }} ${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }} bash -s << ENDSSH
+          # Copy SSH key to CT109 for git access
+          echo "Setting up git SSH access on CT109..."
+          scp -i ~/.ssh/deploy_key -P ${{ secrets.CT109_SSH_PORT }} ~/.ssh/deploy_key ${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }}:~/.ssh/git_deploy_key
+
+          ssh -i ~/.ssh/deploy_key -p ${{ secrets.CT109_SSH_PORT }} ${{ secrets.CT109_USER }}@${{ secrets.CT109_HOST }} bash -s << 'ENDSSH'
           set -e
           export VERSION="${{ github.sha }}"
-          export GITEA_TOKEN="${{ secrets.GIT_TOKEN }}"
+
+          # Configure SSH for git
+          chmod 600 ~/.ssh/git_deploy_key
+          eval "$(ssh-agent -s)"
+          ssh-add ~/.ssh/git_deploy_key 2>/dev/null || true
+
+          # Add git.silverlabs.uk to known hosts
+          ssh-keyscan -p 2223 git.silverlabs.uk >> ~/.ssh/known_hosts 2>/dev/null || true
 
           # Use home directory for deployment
           DEPLOY_DIR=~/littleshop
-          echo "Using deployment directory: \$DEPLOY_DIR"
+          echo "Using deployment directory: $DEPLOY_DIR"
 
           # Create deployment directory if it doesn't exist
-          mkdir -p "\$DEPLOY_DIR"
-          cd "\$DEPLOY_DIR"
+          mkdir -p "$DEPLOY_DIR"
+          cd "$DEPLOY_DIR"
 
-          # Clone or pull latest code with token authentication
+          # Clone or pull latest code via SSH
           if [ ! -d .git ]; then
-            echo "Cloning repository with authentication..."
+            echo "Cloning repository via SSH..."
             rm -rf *  # Clean any existing files
-            # Use token as username, random string as password (Gitea format)
-            git clone https://\${GITEA_TOKEN}:@git.silverlabs.uk/Jamie/littleshop.git .
+            GIT_SSH_COMMAND="ssh -i ~/.ssh/git_deploy_key -p 2223" git clone ssh://git@git.silverlabs.uk:2223/Jamie/littleshop.git .
           else
             echo "Repository already cloned, pulling latest..."
-            git fetch origin
+            GIT_SSH_COMMAND="ssh -i ~/.ssh/git_deploy_key -p 2223" git fetch origin
           fi
 
-          echo "Checking out version: \$VERSION"
-          git checkout \$VERSION || git checkout main
+          echo "Checking out version: $VERSION"
+          git checkout $VERSION || git checkout main
 
           # Build images on CT109
           echo "Building LittleShop image..."
-          docker build --no-cache -t littleshop:\$VERSION .
-          docker tag littleshop:\$VERSION littleshop:latest
+          docker build --no-cache -t littleshop:$VERSION .
+          docker tag littleshop:$VERSION littleshop:latest
 
           echo "Building TeleBot image..."
-          docker build --no-cache -t telebot:\$VERSION -f Dockerfile.telebot .
-          docker tag telebot:\$VERSION telebot:latest
+          docker build --no-cache -t telebot:$VERSION -f Dockerfile.telebot .
+          docker tag telebot:$VERSION telebot:latest
 
           # Stop existing containers
           echo "Stopping existing containers..."