- .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD
directly into the remote script (the runner masks the secret with ***
which broke the <(echo '...') process substitution at runtime)
- inject the password as VAULT_PASS through appleboy/ssh-action's
envs: forwarding so it never appears in the rendered script
- on the remote, write it to a mktemp file with chmod 600 and remove
the file via trap on EXIT, then point ansible-playbook
--vault-password-file at that temp file
- use printf '%s' instead of echo to avoid adding a stray newline to
the vault password
- add set -e so the script fails fast if any step errors
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .gitea/workflows/deploy.yml: replace manual ssh key setup + raw ssh
command with the appleboy/ssh-action@v1.0.0 action
- host, user, key and deploy path are now read from Gitea secrets
(SSH_HOST, SSH_USER, SSH_PRIVATE_KEY, DEPLOY_PATH) instead of being
hard-coded in the workflow
- ansible-playbook command and vault password file (process substitution
fed by ANSIBLE_VAULT_PASSWORD) are kept identical, only the transport
changes
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .env, .env.test, ansible/env.local.j2: point SONARQUBE_URL to https://sn.e-cosplay.fr
- ansible/vault.yml, .env: rotate sonarqube_badge_token to new value
- .gitea/workflows/ci.yml, sonarqube.yml: remove OWASP Dependency-Check steps and force sonar.host.url via CLI args
- sonar-project.properties: drop dependencyCheck report paths
- .gitea/workflows/deploy.yml: switch SSH target from 34.90.187.4 to 152.228.222.133
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add responsive breakpoints (sm/md) to event_detail.html.twig: adaptive titles, stacked ticket layout on mobile, reduced padding/spacing
- Add responsive breakpoints to order templates (guest, summary, public, payment, success): adaptive typography, padding, and layouts
- Fix BreadcrumbList JSON-LD: escape names with json_encode, remove item URL from last breadcrumb
- Update deploy.yml cron schedule from 3h/13h/19h/23h to 1h/22h
- Add <title> tags to rgpd_deletion.html.twig and rgpd_access.html.twig
- Add scope attributes to all <th> tags in rgpd_access.html.twig
- Replace deprecated width/cellpadding/cellspacing HTML attributes with CSS in scan_force_notification email
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fuse deploy-caddy.yml and cloudflare.yml into deploy.yml
- Add env.local.j2 template for production secrets
- Vault: add all production secrets
- Workflow: single deploy.yml playbook
- MailerService: rewrite with S/MIME signing, email tracking, unsubscribe
- ngrok-sync: run as root for .env.local write access
- Fix domain references to ticket.e-cosplay.fr
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Makefile: add install_dev, install_prod, migrations, clear_prod, maintenance commands
- Playbook: full deploy flow (maintenance, stop, install, start, migrate, clear, caddy, messenger)
- Supervisor config for 2 messenger instances
- Workflow: SSH key setup with server IP
- hosts.ini: use IP instead of domain, sudo without password
- README: full documentation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
