fix(ci): verify via public HTTPS (follow 301); add build marker for round-trip test

2026-06-22 12:35:03 +02:00
diff --git a/plate-software-web b/plate-software-web
 name: Deploy to plate-software.de
 # Push to main -> this self-hosted runner (cannamanage-act-runner on TrueNAS)
 # rsyncs the static contents of site/ to the IONOS Apache DocumentRoot
 # (/var/www/html on 82.165.206.45). No --delete is used, so unrelated
 # content already on the server (downloads/, owncloud/, .well-known/,
 # index.html.bak.*, etc.) is left untouched.
 #
 # Requires one repo secret (Settings -> Actions -> Secrets):
 #   IONOS_DEPLOY_KEY : private ed25519 key whose public half is in
 #                      root@82.165.206.45:~/.ssh/authorized_keys
 on:
   push:
     branches: [main]
   workflow_dispatch:
 concurrency:
   group: ionos-web-deploy
   cancel-in-progress: false
 env:
   DEPLOY_HOST: 82.165.206.45
   DEPLOY_USER: root
   DEPLOY_PATH: /var/www/html/
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
       - name: Check out pushed commit
         uses: actions/checkout@v4
       - name: Ensure rsync + ssh present
         run: |
           set -euo pipefail
           if ! command -v rsync >/dev/null 2>&1; then
             apt-get update -y && apt-get install -y rsync openssh-client
           fi
           # Avoid `rsync --version | head` — head closing the pipe early sends
           # SIGPIPE to rsync (exit 141) which trips `pipefail`. Print plainly.
           ver=$(rsync --version | sed -n '1p')
           echo "Using $ver"
       - name: Load deploy key
         run: |
           set -euo pipefail
           mkdir -p ~/.ssh
           printf '%s\n' "${{ secrets.IONOS_DEPLOY_KEY }}" > ~/.ssh/id_deploy
           chmod 600 ~/.ssh/id_deploy
           ssh-keyscan -H "$DEPLOY_HOST" >> ~/.ssh/known_hosts 2>/dev/null
           chmod 600 ~/.ssh/known_hosts
       - name: Rsync site/ to IONOS DocumentRoot
         run: |
           set -euo pipefail
           rsync -az --no-perms --no-owner --no-group --omit-dir-times \
             -e "ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes" \
             site/ "${DEPLOY_USER}@${DEPLOY_HOST}:${DEPLOY_PATH}"
           echo "✅ Synced site/ -> ${DEPLOY_HOST}:${DEPLOY_PATH}"
       - name: Verify live
         run: |
           set -euo pipefail
           # Hit the public HTTPS endpoint and follow the :80 -> :443 redirect.
           # -L follows redirects; we assert the FINAL status is 200.
           code=$(ssh -i ~/.ssh/id_deploy -o IdentitiesOnly=yes \
             "${DEPLOY_USER}@${DEPLOY_HOST}" \
             "curl -sL -o /dev/null -w '%{http_code}' https://plate-software.de/")
           echo "plate-software.de final HTTP $code"
           case "$code" in
 ) echo "✅ plate-software.de serving HTTP 200" ;;
             *)   echo "❌ unexpected status $code"; exit 1 ;;
           esac
       - name: Summary
         run: |
           echo "=== plate-software.de deployed ==="
           echo "Commit: ${GITHUB_SHA}"
           echo "Live:   https://plate-software.de"