From 8bfe7bb17477cdf5561d20e8258d7e3f3d633ccd Mon Sep 17 00:00:00 2001
From: Michael Mainguy <mike.mainguy@gmail.com>
Date: Sat, 3 Jan 2026 06:40:33 -0600
Subject: [PATCH] Add Cloudflare environment variables to CI/CD pipeline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update build.yml to create .env.production from Gitea secrets
  - ANTHROPIC_API_KEY, CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_API_TOKEN
  - Secure file with chmod 600 (owner read only)
  - Preserve env file across deployments

- Update start.sh to source .env.production if it exists
  - Parse and export variables before starting server
  - Skip comments and empty lines

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 20 ++++++++++++++++++--
 start.sh                    | 12 ++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 578090e..c922093 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,8 +34,8 @@ jobs:
           # Ensure group write so we can delete old files
           sudo chmod -R g+w /opt/immersive || true
 
-          # Remove old files except data directory
-          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' -exec rm -rf {} +
+          # Remove old files except data directory and env file
+          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' ! -name '.env.production' -exec rm -rf {} +
 
           # Copy built files to target
           cp -r . /opt/immersive/
@@ -50,6 +50,22 @@ jobs:
           # Set ownership to immersive user
           sudo chown -R immersive:immersive /opt/immersive
 
+      - name: Create Environment File
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          # Create .env.production with secrets (only accessible by immersive user)
+          echo "# Auto-generated by CI/CD - Do not edit manually" > /opt/immersive/.env.production
+          echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> /opt/immersive/.env.production
+
+          # Secure the environment file
+          sudo chown immersive:immersive /opt/immersive/.env.production
+          sudo chmod 600 /opt/immersive/.env.production
+
       - name: Start Service
         run: |
           sudo rc-service immersive start
\ No newline at end of file
diff --git a/start.sh b/start.sh
index 3a0135c..29f5715 100644
--- a/start.sh
+++ b/start.sh
@@ -12,6 +12,18 @@ cd "$APP_DIR"
 export NODE_ENV=production
 export NODE_OPTIONS="--max-old-space-size=2048"
 
+# Load secrets from environment file if it exists
+if [ -f "$APP_DIR/.env.production" ]; then
+    # Export each line as an environment variable
+    while IFS= read -r line || [ -n "$line" ]; do
+        # Skip comments and empty lines
+        case "$line" in
+            \#*|"") continue ;;
+        esac
+        export "$line"
+    done < "$APP_DIR/.env.production"
+fi
+
 # Optional: Set port (default 3001)
 # export PORT=3001