From 316afe004f996c9bebe0c2c0b0df6a2fe96727e1 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 4 Mar 2026 16:12:58 +0100
Subject: [PATCH] fix(ci): use SCP credentials file for docker auth on SSH
 deploy

---
 .gitea/workflows/deploy.yml | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 8548077..b30e2a2 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -558,15 +558,19 @@ jobs:
           TOKEN="$VALID_TOKEN"
 
           DB_CONTAINER="${{ needs.prepare.outputs.project_name }}-postgres-db-1"
-          ssh root@alpha.mintel.me bash <<DEPLOYEOF
-          set -e
-          docker network create '${{ needs.prepare.outputs.project_name }}-internal' || true
-          docker volume create 'mintel-me_payload-db-data' || true
-          echo '$TOKEN' | docker login git.infra.mintel.me -u '$VALID_USER' --password-stdin
-          cd $SITE_DIR
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans
-          DEPLOYEOF
+          # Write docker credentials to a temp file locally, scp to remote, use it for docker auth
+          B64_AUTH=$(printf '%s:%s' "$VALID_USER" "$TOKEN" | base64 -w 0)
+          printf '{"auths":{"git.infra.mintel.me":{"auth":"%s"}}}' "$B64_AUTH" > /tmp/docker_creds.json
+          scp /tmp/docker_creds.json root@alpha.mintel.me:/tmp/docker_creds.json
+          rm /tmp/docker_creds.json
+          ssh root@alpha.mintel.me "
+            mkdir -p ~/.docker && cp /tmp/docker_creds.json ~/.docker/config.json && rm /tmp/docker_creds.json
+            docker network create '${{ needs.prepare.outputs.project_name }}-internal' || true
+            docker volume create 'mintel-me_payload-db-data' || true
+            cd $SITE_DIR
+            docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull
+            docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans
+          "
 
       - name: 🧹 Post-Deploy Cleanup (Runner)
         if: always()