Upgrade deployment scripts

Author: mythz

.github/workflows/build-container.yml

@@ -27,19 +27,17 @@ jobs:
 
       - name: Set up environment variables
         run: |
-          echo "image_repository_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-          echo "repository_name=$(echo ${{ github.repository }} | cut -d '/' -f 2)" >> $GITHUB_ENV
-          echo "repository_name_lower=$(echo ${{ github.repository }} | cut -d '/' -f 2 | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-          echo "org_name=$(echo ${{ github.repository }} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "IMAGE=ghcr.io/$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          repo_name="$(echo ${{ github.repository }} | cut -d '/' -f 2)"
 
-          # Set SERVICE_LABEL: derive from GITHUB_REPOSITORY (replace dots with dashes)
-          echo "SERVICE_LABEL=$(echo ${{ github.repository }} | cut -d '/' -f 2 | tr '.' '-')" >> $GITHUB_ENV
+          # Set SERVICE: derive from repo name (replace dots with dashes)
+          echo "SERVICE=$(echo $repo_name | tr '[:upper:]' '[:lower:]' | tr '.' '-')" >> $GITHUB_ENV
 
           # Set KAMAL_DEPLOY_HOST: use secret if available, otherwise use repository name
           if [ -n "${{ secrets.KAMAL_DEPLOY_HOST }}" ]; then
             DEPLOY_HOST="${{ secrets.KAMAL_DEPLOY_HOST }}"
           else
-            DEPLOY_HOST="$(echo ${{ github.repository }} | cut -d '/' -f 2)"
+            DEPLOY_HOST="$repo_name"
           fi
 
           # Validate KAMAL_DEPLOY_HOST contains at least one '.'
@@ -56,7 +54,7 @@ jobs:
           KAMAL_DEPLOY_IP: ${{ secrets.KAMAL_DEPLOY_IP }}
         if: env.KAMAL_DEPLOY_IP != null
         run: |
-          sed -i 's#<ContainerLabel Include="service" Value="my-app" />#<ContainerLabel Include="service" Value="${{ env.repository_name_lower }}" />#g' TechStacks/TechStacks.csproj
+          sed -i 's#<ContainerLabel Include="service" Value="my-app" />#<ContainerLabel Include="service" Value="${{ env.SERVICE }}" />#g' TechStacks/TechStacks.csproj
 
       - name: Check for Client directory and package.json
         id: check_client
@@ -83,20 +81,6 @@ jobs:
         working-directory: ./TechStacks.Client
         run: npm run build
 
-      - name: Install x tool
-        run: dotnet tool install -g x
-
-      - name: Apply Production AppSettings
-        env:
-          APPSETTINGS_PATCH: ${{ secrets.APPSETTINGS_PATCH }}      
-        if: env.APPSETTINGS_PATCH != null
-        working-directory: ./TechStacks
-        run: |
-          cat <<EOF >> appsettings.json.patch
-          ${{ secrets.APPSETTINGS_PATCH }}
-          EOF
-          x patch appsettings.json.patch
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -113,12 +97,12 @@ jobs:
         env:
           SERVICESTACK_LICENSE: ${{ secrets.SERVICESTACK_LICENSE }}
           KAMAL_DEPLOY_HOST: ${{ env.KAMAL_DEPLOY_HOST }}
-          SERVICE_LABEL: ${{ env.SERVICE_LABEL }}
+          SERVICE: ${{ env.SERVICE }}
         run: |
           docker build \
             --build-arg SERVICESTACK_LICENSE="$SERVICESTACK_LICENSE" \
             --build-arg KAMAL_DEPLOY_HOST="$KAMAL_DEPLOY_HOST" \
-            --build-arg SERVICE_LABEL="$SERVICE_LABEL" \
-            -t ghcr.io/${{ env.image_repository_name }}:latest \
+            --build-arg SERVICE="$SERVICE" \
+            -t ${{ env.IMAGE }}:latest \
             -f Dockerfile .
-          docker push ghcr.io/${{ env.image_repository_name }}:latest
+          docker push ${{ env.IMAGE }}:latest

.github/workflows/build.yml

@@ -18,8 +18,8 @@ jobs:
         with:
           dotnet-version: 10.0.x
 
-      - name: Restore NuGet packages (use repo NuGet.config)
-        run: dotnet restore TechStacks.slnx --configfile ./NuGet.Config
+      - name: Restore NuGet packages
+        run: dotnet restore TechStacks.slnx
 
       # If your feed requires authentication, enable and configure the step below.
       # This example uses a Personal Access Token stored in secrets.NUGET_API_KEY.
@@ -40,7 +40,7 @@ jobs:
 
       # - name: test
       #   run: |
-      #     dotnet test --no-restore
+      #     dotnet test
       #     if [ $? -eq 0 ]; then
       #       echo TESTS PASSED
       #     else

.github/workflows/release.yml

@@ -15,11 +15,12 @@ on:
 env:
   DOCKER_BUILDKIT: 1
   SERVICESTACK_LICENSE: ${{ secrets.SERVICESTACK_LICENSE }}
+  APPSETTINGS_JSON: ${{ secrets.APPSETTINGS_JSON }}
   KAMAL_DEPLOY_IP: ${{ secrets.KAMAL_DEPLOY_IP }}
   KAMAL_DEPLOY_HOST: ${{ secrets.KAMAL_DEPLOY_HOST }}
-  POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
   KAMAL_REGISTRY_USERNAME: ${{ github.actor }}
   KAMAL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+  POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
 
 jobs:
   release:
@@ -29,12 +30,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
 
+      - name: Encode APPSETTINGS_JSON for runtime
+        if: env.APPSETTINGS_JSON != null
+        run: |
+          # Base64 encode to avoid shell/YAML quoting issues; keep as a single env var.
+          b64=$(printf '%s' "$APPSETTINGS_JSON" | base64 -w0)
+          echo "APPSETTINGS_JSON_BASE64=$b64" >> $GITHUB_ENV
+
       - name: Set up environment variables
         run: |
-          echo "image_repository_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-          echo "repository_name=$(echo ${{ github.repository }} | cut -d '/' -f 2)" >> $GITHUB_ENV
-          echo "repository_name_lower=$(echo ${{ github.repository }} | cut -d '/' -f 2 | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-          echo "org_name=$(echo ${{ github.repository }} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "IMAGE=ghcr.io/$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          repo_name="$(echo ${{ github.repository }} | cut -d '/' -f 2)"
+          echo "SERVICE=$(echo $repo_name | tr '[:upper:]' '[:lower:]' | tr '.' '-')" >> $GITHUB_ENV
           if find . -maxdepth 2 -type f -name "Configure.Db.Migrations.cs" | grep -q .; then
             echo "HAS_MIGRATIONS=true" >> $GITHUB_ENV
           else
@@ -74,25 +81,22 @@ jobs:
       - name: Ensure directories exist with correct permissions
         run: |
           echo "Creating directories with correct permissions"
-          kamal server exec "mkdir -p /opt/docker/${{ env.repository_name }}/App_Data /opt/docker/${{ env.repository_name }}/initdb.d /opt/docker/${{ env.repository_name }}/postgres"
+          kamal server exec "mkdir -p /opt/docker/${{ env.SERVICE }}/App_Data /opt/docker/${{ env.SERVICE }}/initdb.d"
 
           echo "Setting app file permissions"
-          kamal server exec "chown -R 1654:1654 /opt/docker/${{ env.repository_name }}/App_Data /opt/docker/${{ env.repository_name }}/initdb.d"
-
-          echo "Setting postgres file permissions"
-          kamal server exec "chown -R 999:999 /opt/docker/${{ env.repository_name }}/postgres"
+          kamal server exec "chown -R 1654:1654 /opt/docker/${{ env.SERVICE }}/App_Data /opt/docker/${{ env.SERVICE }}/initdb.d"
 
       - name: Check if first run and execute kamal app boot if necessary
         run: |
-          FIRST_RUN_FILE="~/first-run/${{ env.repository_name }}"
+          FIRST_RUN_FILE="~/first-run/${{ env.SERVICE }}"
           if ! kamal server exec -q "test -f $FIRST_RUN_FILE"; then
             kamal server exec -q "mkdir -p ~/first-run && touch $FIRST_RUN_FILE" || true
 
             if [ -n "${{env.INIT_DB_SQL}}" ]; then
               echo "Initializing DB with INIT_DB_SQL secret..."
               # Save the SQL content to a temporary file
               echo "${{ env.INIT_DB_SQL }}" > init-db.sql
-              cat init-db.sql | kamal server exec -i "cat > /opt/docker/${{ env.repository_name }}/initdb.d/${{ env.repository_name }}.sql" && rm init-db.sql || true
+              cat init-db.sql | kamal server exec -i "cat > /opt/docker/${{ env.SERVICE }}/initdb.d/${{ env.SERVICE }}.sql" && rm init-db.sql || true
             fi
             # Start all kamal accessories
             kamal accessory boot all || true
@@ -105,13 +109,13 @@ jobs:
 
       - name: Verify file permissions before deploy
         run: |
-          kamal server exec --no-interactive "chown -R 1654:1654 /opt/docker/${{ env.repository_name }}/App_Data /opt/docker/${{ env.repository_name }}/initdb.d && chown -R 999:999 /opt/docker/${{ env.repository_name }}/postgres"
+          kamal server exec --no-interactive "chown -R 1654:1654 /opt/docker/${{ env.SERVICE }}/App_Data /opt/docker/${{ env.SERVICE }}/initdb.d"
 
       - name: Deploy with Kamal
         run: |
           kamal lock release -v
           kamal server exec --no-interactive 'echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin'
-          kamal server exec --no-interactive 'docker pull ghcr.io/${{ env.image_repository_name }}:latest'
+          kamal server exec --no-interactive 'docker pull ${{ env.IMAGE }}:latest'
           kamal deploy -P --version latest
 
       - name: Migration

.kamal/secrets

@@ -6,6 +6,7 @@
 KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 KAMAL_REGISTRY_USERNAME=$KAMAL_REGISTRY_USERNAME
 SERVICESTACK_LICENSE=$SERVICESTACK_LICENSE
+APPSETTINGS_JSON_BASE64=$APPSETTINGS_JSON_BASE64
 POSTGRES_PASSWORD=$POSTGRES_PASSWORD
 
 # Option 2: Read secrets via a command

Dockerfile

@@ -3,7 +3,7 @@
 # Build arguments
 ARG KAMAL_DEPLOY_HOST
 ARG SERVICESTACK_LICENSE
-ARG SERVICE_LABEL
+ARG SERVICE
 
 # 1. Build .NET app + Node.js apps
 FROM mcr.microsoft.com/dotnet/sdk:10.0 AS dotnet-build
@@ -22,7 +22,6 @@ RUN apt-get update \
 
 # Copy solution and projects
 COPY TechStacks.slnx ./
-COPY NuGet.Config ./
 COPY TechStacks ./TechStacks
 COPY TechStacks.ServiceInterface ./TechStacks.ServiceInterface
 COPY TechStacks.ServiceModel ./TechStacks.ServiceModel
@@ -31,17 +30,17 @@ COPY TechStacks.ServiceModel ./TechStacks.ServiceModel
 WORKDIR /src/TechStacks
 
 # Download tailwindcss binary directly (avoiding sudo requirement in postinstall.js)
-RUN curl -sLO https://github.com/tailwindlabs/tailwindcss/releases/latest/download/tailwindcss-linux-x64 \
-    && chmod +x tailwindcss-linux-x64 \
-    && mv tailwindcss-linux-x64 /usr/local/bin/tailwindcss
+RUN curl -sL https://github.com/tailwindlabs/tailwindcss/releases/latest/download/tailwindcss-linux-x64 \
+    -o /usr/local/bin/tailwindcss \
+    && chmod +x /usr/local/bin/tailwindcss
 RUN npm run ui:build
 
 # Build Next.js app
 WORKDIR /src/TechStacks.Client
-COPY TechStacks.Client/package*.json ./
+COPY TechStacks.Client/package*.json TechStacks.Client/postinstall.mjs ./
 RUN npm ci
 COPY TechStacks.Client/ ./
-RUN npm run build:prod
+RUN npm run build
 
 # Restore and publish .NET app
 WORKDIR /src
@@ -52,13 +51,13 @@ RUN dotnet publish TechStacks/TechStacks.csproj -c Release --no-restore -p:Publi
 # 2. Runtime image with .NET + Node
 FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS final
 ARG SERVICESTACK_LICENSE
-ARG SERVICE_LABEL
+ARG SERVICE
 ARG KAMAL_DEPLOY_HOST
 
 WORKDIR /app
 
 # Label required by Kamal, must match config/deploy.yml service
-LABEL service="${SERVICE_LABEL}"
+LABEL service="${SERVICE}"
 
 # Install Node.js >= 20.9 (Node 24.x LTS) and bash for the entrypoint script
 RUN apt-get update \
@@ -68,11 +67,19 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy published .NET app
-COPY --from=dotnet-build /src/TechStacks/bin/Release/net10.0/publish ./api
+# Create unprivileged user for Next.js
+RUN groupadd -r nextjs && useradd -r -g nextjs -s /bin/bash nextjs
 
-# Copy built Next.js app (including dist, node_modules, public, etc.)
-COPY --from=dotnet-build /src/TechStacks.Client ./client
+# Copy published .NET app (owned by root, no access for nextjs user)
+COPY --from=dotnet-build /src/TechStacks/bin/Release/net10.0/publish ./dotnet
+RUN chmod -R 700 ./dotnet && chown -R root:root ./dotnet
+
+# Copy built Next.js app (owned by nextjs user, read-only)
+COPY --from=dotnet-build /src/TechStacks.Client ./nextjs
+RUN chown -R nextjs:nextjs ./nextjs && chmod -R 500 ./nextjs
+
+# Create /tmp directory accessible to nextjs user
+RUN mkdir -p /tmp && chmod 1777 /tmp
 
 ENV ASPNETCORE_URLS=http://0.0.0.0:8080 \
     INTERNAL_API_URL=http://127.0.0.1:8080 \

NEXTJS_MIGRATION_PLAN.md

@@ -2095,7 +2095,6 @@ const nextConfig: NextConfig = {
   "scripts": {
     "dev": "next dev",
     "build": "next build",
-    "build:prod": "next build && cp -r out/* ../TechStacks/wwwroot/",
     "start": "next start",
     "lint": "next lint",
     "type-check": "tsc --noEmit"
@@ -2109,7 +2108,7 @@ const nextConfig: NextConfig = {
 {
   "scripts": {
     "ui:dev": "cd nextjs-app && npm run dev",
-    "ui:build": "cd nextjs-app && npm run build:prod",
+    "ui:build": "cd nextjs-app && npm run build",
     "dtos": "cd TechStacks/src/shared && x ts && cp dtos.ts ../../nextjs-app/src/shared/dtos.ts",
     "publish": "npm run ui:build && cd TechStacks && dotnet publish -c Release",
     "deploy": "npm run publish && bash deploy.sh"

NuGet.Config

@@ -100,7 +100,6 @@ npm run dev          # Start development server
 
 # Build
 npm run build        # Build for production
-npm run build:prod   # Build and output to C# wwwroot
 
 # Type checking
 npm run type-check   # Run TypeScript compiler check
@@ -147,7 +146,7 @@ The production build uses Next.js static export to generate a fully static websi
 
 ```bash
 # Build for production (static export to ./dist)
-NODE_ENV=production npm run build:prod
+NODE_ENV=production npm run build
 
 # Build and copy to C# wwwroot (for deployment)
 npm run build

TechStacks.Client/README.md

@@ -10,7 +10,6 @@
     "generate-data": "node scripts/generate-static-data.mjs",
     "build": "next build",
     "copy-www": "rm -rf ../TechStacks/wwwroot/ && cp -rf dist ../TechStacks/wwwroot && cp dist/_next/static/chunks/*.css ../TechStacks/wwwroot/css/app.css",
-    "build:prod": "next build",
     "start": "next start",
     "lint": "next lint",
     "type-check": "tsc --noEmit"

TechStacks.Client/package.json

@@ -6,6 +6,7 @@
         "ui:dev": "tailwindcss -i ./tailwind.input.css -o ./wwwroot/css/app.css --watch",
         "ui:build": "tailwindcss -i ./tailwind.input.css -o ./wwwroot/css/app.css --minify",
         "build": "npm run ui:build",
+        "secret:prod": "gh secret set APPSETTINGS_JSON < appsettings.Production.json",
         "migrate": "dotnet run --AppTasks=migrate",
         "revert:last": "dotnet run --AppTasks=migrate.revert:last",
         "revert:all": "dotnet run --AppTasks=migrate.revert:all",