Add Cloudflare environment variables to CI/CD pipeline

- Update build.yml to create .env.production from Gitea secrets - ANTHROPIC_API_KEY, CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_API_TOKEN - Secure file with chmod 600 (owner read only) - Preserve env file across deployments - Update start.sh to source .env.production if it exists - Parse and export variables before starting server - Skip comments and empty lines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 06:40:33 -06:00 · 2026-01-03 06:40:33 -06:00 · 8bfe7bb174
commit 8bfe7bb174
parent 03217f3e65
2 changed files with 30 additions and 2 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -34,8 +34,8 @@ jobs:
          # Ensure group write so we can delete old files
          sudo chmod -R g+w /opt/immersive || true

-          # Remove old files except data directory
-          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' -exec rm -rf {} +
+          # Remove old files except data directory and env file
+          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' ! -name '.env.production' -exec rm -rf {} +

          # Copy built files to target
          cp -r . /opt/immersive/
@ -50,6 +50,22 @@ jobs:
          # Set ownership to immersive user
          sudo chown -R immersive:immersive /opt/immersive

+      - name: Create Environment File
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          # Create .env.production with secrets (only accessible by immersive user)
+          echo "# Auto-generated by CI/CD - Do not edit manually" > /opt/immersive/.env.production
+          echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> /opt/immersive/.env.production
+
+          # Secure the environment file
+          sudo chown immersive:immersive /opt/immersive/.env.production
+          sudo chmod 600 /opt/immersive/.env.production
+
      - name: Start Service
        run: |
          sudo rc-service immersive start
--- a/start.sh
+++ b/start.sh
@ -12,6 +12,18 @@ cd "$APP_DIR"
 export NODE_ENV=production
 export NODE_OPTIONS="--max-old-space-size=2048"

+# Load secrets from environment file if it exists
+if [ -f "$APP_DIR/.env.production" ]; then
+    # Export each line as an environment variable
+    while IFS= read -r line || [ -n "$line" ]; do
+        # Skip comments and empty lines
+        case "$line" in
+            \#*|"") continue ;;
+        esac
+        export "$line"
+    done < "$APP_DIR/.env.production"
+fi
+
 # Optional: Set port (default 3001)
 # export PORT=3001