From d9b900d2900cb8eeffbb28d934f9b79daa66e698 Mon Sep 17 00:00:00 2001
From: thomas <louischanhoong@proton.me>
Date: Tue, 19 May 2026 07:43:30 +0800
Subject: [PATCH] 1

---
 .gitea/workflows/deploy.yml | 50 ++++++++++++++++++++++++++-----------
 1 file changed, 35 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 419535f..4cdf909 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -1,14 +1,14 @@
-# Push to main → rsync this repo into arkieproject/backend on ark-library-backend-1, rebuild api.
+# Push to main → scp backend sources to ark-library-backend-1, rebuild api.
 #
 # Gitea repo secrets (Settings → Actions → Secrets):
 #   DEPLOY_SSH_KEY   — PEM private key for ec2-user@ark-library-backend-1 (no passphrase)
 #
 # Optional secrets (override defaults):
-#   DEPLOY_HOST      — SSH host (default ark-library-backend-1; use IP/hostname if the runner has no ~/.ssh/config alias)
+#   DEPLOY_HOST      — SSH host (default ark-library-backend-1)
 #   DEPLOY_USER      — default ec2-user
 #   REMOTE_REPO      — default /home/ec2-user/arkieproject
 #
-# Runner must reach the host (Tailscale, VPC, or public IP). Add the matching public key to authorized_keys on the server.
+# Runner must reach the host. Server needs ${REMOTE_REPO}/.env and deploy/ (bootstrap via deploy/sync-admin.sh).
 
 name: Deploy API
 
@@ -34,6 +34,7 @@ jobs:
           echo "DEPLOY_HOST=${DEPLOY_HOST:-ark-library-backend-1}" >> "$GITHUB_ENV"
           echo "DEPLOY_USER=${DEPLOY_USER:-ec2-user}" >> "$GITHUB_ENV"
           echo "REMOTE_REPO=${REMOTE_REPO:-/home/ec2-user/arkieproject}" >> "$GITHUB_ENV"
+          echo "REMOTE_BACKEND=${REMOTE_REPO:-/home/ec2-user/arkieproject}/backend" >> "$GITHUB_ENV"
 
       - name: Configure SSH
         env:
@@ -47,23 +48,42 @@ jobs:
           printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/deploy_key
           chmod 600 ~/.ssh/deploy_key
           ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true
+          cat >> ~/.ssh/config <<EOF
+          Host deploy-target
+            HostName ${DEPLOY_HOST}
+            User ${DEPLOY_USER}
+            IdentityFile ~/.ssh/deploy_key
+            StrictHostKeyChecking accept-new
+            ConnectTimeout 30
+          EOF
+          chmod 600 ~/.ssh/config
 
-      - name: Rsync backend sources
+      - name: Package backend sources
         run: |
-          REMOTE_BACKEND="${REMOTE_REPO}/backend/"
-          rsync -avz --delete \
-            --exclude '.git' \
-            --exclude 'uploads' \
-            --exclude '.env' \
-            --exclude '.env.*' \
-            --exclude '.DS_Store' \
-            -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30" \
-            ./ "${DEPLOY_USER}@${DEPLOY_HOST}:${REMOTE_BACKEND}"
+          tar czf /tmp/backend-deploy.tar.gz \
+            --exclude='./.git' \
+            --exclude='./uploads' \
+            --exclude='./.env' \
+            --exclude='./.env.*' \
+            --exclude='./.DS_Store' \
+            --exclude='./.gitea' \
+            -C . .
+
+      - name: Deploy backend sources (scp)
+        run: |
+          scp /tmp/backend-deploy.tar.gz deploy-target:/tmp/backend-deploy.tar.gz
+          ssh deploy-target bash -s <<REMOTE
+          set -euo pipefail
+          REMOTE_BACKEND="${REMOTE_BACKEND}"
+          mkdir -p "\${REMOTE_BACKEND}"
+          find "\${REMOTE_BACKEND}" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
+          tar xzf /tmp/backend-deploy.tar.gz -C "\${REMOTE_BACKEND}"
+          rm -f /tmp/backend-deploy.tar.gz
+          REMOTE
 
       - name: Rebuild and restart API container
         run: |
-          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new -o ConnectTimeout=30 \
-            "${DEPLOY_USER}@${DEPLOY_HOST}" bash -s <<REMOTE
+          ssh deploy-target bash -s <<REMOTE
           set -euo pipefail
           cd "${REMOTE_REPO}"
           if [[ ! -f .env ]]; then