From 817e0cb02199ef46fd56718255e89b8c8ef6343d Mon Sep 17 00:00:00 2001
From: ITQ <itq.dev@ya.ru>
Date: Sun, 4 May 2025 12:05:17 +0300
Subject: [PATCH] ci: security improvements

---
 .gitlab-ci.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d1076d4..a40505c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -79,6 +79,7 @@ deploy:
     - if: $CI_COMMIT_REF_NAME == "master"
   variables:
     SSH_ADDRESS: $SSH_USER@$SSH_HOST
+    SSH_PRIVATE_KEY_BASE64: $SSH_PRIVATE_KEY_BASE64
   environment:
     name: production
     url: https://datarush.itqdev.xyz
@@ -86,7 +87,7 @@ deploy:
     - mkdir -p ~/.ssh
     - chmod 700 ~/.ssh
     - echo -e "Host *\n\tStrictHostKeyChecking no\n\tIdentitiesOnly yes\n\n" > ~/.ssh/config
-    - printf "%s\n" "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
+    - echo "$SSH_PRIVATE_KEY_BASE64" | base64 -d > ~/.ssh/id_rsa
     - chmod 600 ~/.ssh/id_rsa
     - ssh-keyscan -H $SSH_HOST -p $SSH_PORT > /dev/null 2>&1
 
@@ -101,10 +102,10 @@ deploy:
       ssh -p $SSH_PORT $SSH_ADDRESS > /dev/null 2>&1 <<'EOF'
       cd ~/deploy
 
-      docker system prune --force > deploy.log 2>&1
-
       docker compose pull --policy always -q > deploy.log 2>&1
       docker compose up -d --remove-orphans --force-recreate >> deploy.log 2>&1
       docker compose ps >> deploy.log 2>&1
+
+      nohup docker system prune --force >> deploy.log 2>&1 &
       EOF
   retry: 2