pelagia-portal/.forgejo/workflows/deploy.yml

name: Deploy release to production

# Pushing a release tag (vX.Y.Z) deploys that tag to the portal at
# pms.pelagiamarine.com. Runs on the pms1 host runner (label: host),
# which executes as shad0w with direct access to the pm2-managed app.

on:
  push:
    tags:
      - "v*"

jobs:
  deploy:
    runs-on: host
    steps:
      - name: Deploy tag to ~/pms and restart ppms
        run: |
          set -euo pipefail
          export NVM_DIR="$HOME/.nvm"
          . "$NVM_DIR/nvm.sh"

          TAG="${GITHUB_REF_NAME}"
          echo "=== Deploying $TAG ==="

          cd "$HOME/pms"
          git fetch origin --tags --force
          git checkout -f "refs/tags/$TAG"

          cd App
          pnpm install --frozen-lockfile
          pnpm build                 # includes prisma generate
          pnpm db:migrate:deploy

          # NOT --update-env: this job runs inside the Forgejo Actions runner, whose
          # environment includes an ephemeral FORGEJO_TOKEN (the per-job token, revoked
          # when the job ends). --update-env would inject it into ppms, where it shadows
          # the real PAT from .env (Next.js does not override an already-set process.env
          # var) and breaks the Report Issue button once the job token expires. A plain
          # restart re-execs ppms from the pm2 daemon's clean env, so .env wins.
          pm2 restart ppms
          echo "=== Deployed $TAG ==="

      - name: Verify portal responds
        run: |
          sleep 5
          code=$(curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:3000/login)
          echo "Portal /login returned HTTP $code"
          test "$code" = "200"