feat(platform): harden access scoping and delivery baseline

.github/workflows/deploy-prod.yml

@@ -0,0 +1,86 @@
+name: Deploy Production
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: Image tag to promote to production, for example sha-<commit>
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy To Production
+    runs-on: ubuntu-latest
+    environment: production
+    timeout-minutes: 30
+    concurrency:
+      group: deploy-production
+      cancel-in-progress: false
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: vars
+        name: Resolve image refs
+        run: |
+          owner="$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')"
+          repo="$(basename '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
+          image_tag="${{ inputs.image_tag }}"
+          echo "app_image=ghcr.io/${owner}/${repo}-app:${image_tag}" >> "$GITHUB_OUTPUT"
+          echo "migrator_image=ghcr.io/${owner}/${repo}-migrator:${image_tag}" >> "$GITHUB_OUTPUT"
+
+      - name: Prepare SSH
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.PROD_SSH_KEY }}
+          SSH_HOST: ${{ secrets.PROD_SSH_HOST }}
+          SSH_PORT: ${{ secrets.PROD_SSH_PORT }}
+        run: |
+          install -m 700 -d ~/.ssh
+          printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -p "${SSH_PORT:-22}" -H "${SSH_HOST}" >> ~/.ssh/known_hosts
+
+      - name: Bundle deploy assets
+        run: tar czf deploy-bundle.tgz docker-compose.cicd.yml tooling/deploy
+
+      - name: Copy deploy assets to production
+        env:
+          SSH_PORT: ${{ secrets.PROD_SSH_PORT }}
+        run: |
+          ssh -p "${SSH_PORT:-22}" "${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }}" \
+            "mkdir -p '${{ secrets.PROD_DEPLOY_PATH }}'"
+          scp -P "${SSH_PORT:-22}" deploy-bundle.tgz \
+            "${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }}:${{ secrets.PROD_DEPLOY_PATH }}/deploy-bundle.tgz"
+
+      - name: Run production deployment
+        env:
+          APP_IMAGE: ${{ steps.vars.outputs.app_image }}
+          MIGRATOR_IMAGE: ${{ steps.vars.outputs.migrator_image }}
+          APP_HOST_PORT: ${{ secrets.PROD_APP_HOST_PORT }}
+          GHCR_USERNAME: ${{ secrets.PROD_GHCR_USERNAME }}
+          GHCR_TOKEN: ${{ secrets.PROD_GHCR_TOKEN }}
+          SSH_PORT: ${{ secrets.PROD_SSH_PORT }}
+        run: |
+          cat > deploy.env <<EOF
+          APP_IMAGE=${APP_IMAGE}
+          MIGRATOR_IMAGE=${MIGRATOR_IMAGE}
+          APP_HOST_PORT=${APP_HOST_PORT}
+          GHCR_USERNAME=${GHCR_USERNAME}
+          GHCR_TOKEN=${GHCR_TOKEN}
+          EOF
+          scp -P "${SSH_PORT:-22}" deploy.env \
+            "${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }}:${{ secrets.PROD_DEPLOY_PATH }}/deploy.env"
+          ssh -p "${SSH_PORT:-22}" "${{ secrets.PROD_SSH_USER }}@${{ secrets.PROD_SSH_HOST }}" 'bash -se' <<'EOF'
+          set -euo pipefail
+          cd "${{ secrets.PROD_DEPLOY_PATH }}"
+          tar xzf deploy-bundle.tgz
+          rm -f deploy-bundle.tgz
+          set -a
+          . ./deploy.env
+          set +a
+          bash tooling/deploy/deploy-compose.sh production
+          rm -f deploy.env
+          EOF