refactored deployment phase

.gitea/workflows/cicd.yaml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Run tests
         env:
-          DB_USER: ""   # force SQLite fallback
+          DB_USER: ""   # force SQLite fallback in app.py
           DB_PASS: ""
           DB_NAME: ""
         run: pytest
@@ -51,6 +51,7 @@ jobs:
       - name: Build Docker image for scan
         run: docker build -t demo-app:latest .
 
+      # Trivy via Docker (no GitHub Action)
       - name: Scan image with Trivy
         run: |
           docker run --rm \
@@ -88,16 +89,25 @@ jobs:
 
       - name: Deploy on server
         run: |
-          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
-            cd ${{ secrets.DEPLOY_PATH }}
-            # Create/update .env with secrets
-            echo "DB_USER=${{ secrets.DB_USER }}" > .env
-            echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env
-            echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env
-            # Load and deploy
+          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << 'EOF'
+            set -e
+            cd "${DEPLOY_PATH}"
+
+            # Create/update .env with DB secrets from CI
+            echo "DB_USER=${DB_USER}" > .env
+            echo "DB_PASS=${DB_PASS}" >> .env
+            echo "DB_NAME=${DB_NAME}" >> .env
+
+            # Load new image and restart stack
             docker load -i demo-app.tar
             docker compose down
             docker compose --env-file .env up -d --remove-orphans
+
             rm demo-app.tar
           EOF
+        env:
+          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
+          DB_USER: ${{ secrets.DB_USER }}
+          DB_PASS: ${{ secrets.DB_PASS }}
+          DB_NAME: ${{ secrets.DB_NAME }}