thasup · thasup · Jun 10, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.env.example b/.env.example
@@ -1,14 +1,34 @@
-# JWT secret key
-JWT_KEY=
-
-# Mongo DB connection link
-MONGO_URI_USER=
-MONGO_URI_PRODUCT=
-MONGO_URI_ORDER=
-MONGO_URI_PAYMENT=
-
-# Stripe API key
-STRIPE_KEY=
-
-# Paypal API key
-PAYPAL_CLIENT_ID=
+# ─── Backend service secrets (k8s secrets / terraform.tfvars) ───────────────
+
+# Secret used to sign JWT session tokens — any long random string
+JWT_KEY=
+
+# MongoDB connection strings, one database per service.
+# Local dev (in-cluster):  mongodb://user-mongo-srv:27017/users-db etc.
+# Production:              MongoDB Atlas M0 (free) mongodb+srv://... URIs
+MONGO_URI_USER=
+MONGO_URI_PRODUCT=
+MONGO_URI_ORDER=
+MONGO_URI_PAYMENT=
+
+# Stripe SECRET key (sk_test_... / sk_live_...) — payment service
+STRIPE_KEY=
+
+# PayPal client ID — payment service
+PAYPAL_CLIENT_ID=
+
+# ─── Storefront (client) public configuration ───────────────────────────────
+
+# Stripe PUBLISHABLE key (pk_test_... / pk_live_...) shown to the browser
+NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
+
+# PayPal client ID exposed to the browser (usually same as PAYPAL_CLIENT_ID)
+NEXT_PUBLIC_PAYPAL_CLIENT_ID=
+
+# Google Analytics 4 measurement ID (optional)
+NEXT_PUBLIC_GA_ID=
+
+# ─── Seed script (scripts/seed.mjs) ──────────────────────────────────────────
+
+# Password for the seeded admin@aurapan.com account
+SEED_ADMIN_PASSWORD=
diff --git a/.github/workflows/deploy-client.yaml b/.github/workflows/deploy-client.yaml
@@ -1,44 +1,56 @@
-name: deploy-client
-
-on:
-  push:
-    # watch for pull request into main branch
-    branches:
-      - main
-
-    # watch for changes in client folder
-    paths:
-      - "client/**"
-      - "trigger-deploy.txt"
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      # build an image
-      - run: cd client && docker build -t thasup/client .
-
-      # login on docker hub
-      - run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-
-      # push an image to docker hub
-      - run: docker push thasup/client
-
-      # use and cliententicate doctl
-      - uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN}}
-
-      # give credential to k8s cluster
-      - run: doctl kubernetes cluster kubeconfig save aurapan-cluster
-
-      # restart deployment
-      - run: kubectl rollout restart deployment client-depl
+name: deploy-client
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "client/**"
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${ secrets.DOCKER_USERNAME }
+          password: ${ secrets.DOCKER_PASSWORD }
+
+      # Multi-arch so the image runs on both x86 and the Graviton (arm64)
+      # EC2 node provisioned by infra/terraform.
+      - uses: docker/build-push-action@v6
+        with:
+          context: client
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: thasup/client:latest
+          build-args: |
+            NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=${{ secrets.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }}
+            NEXT_PUBLIC_PAYPAL_CLIENT_ID=${{ secrets.NEXT_PUBLIC_PAYPAL_CLIENT_ID }}
+            NEXT_PUBLIC_GA_ID=${{ secrets.NEXT_PUBLIC_GA_ID }}
+
+  # Restarts the deployment on the AWS k3s node via SSM. Runs only when the
+  # repository variables AWS_REGION and AURAPAN_INSTANCE_ID are configured
+  # (plus AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets).
+  rollout:
+    needs: build
+    if: vars.AWS_REGION != '' && vars.AURAPAN_INSTANCE_ID != ''
+    runs-on: ubuntu-latest
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${ secrets.AWS_ACCESS_KEY_ID }
+          aws-secret-access-key: ${ secrets.AWS_SECRET_ACCESS_KEY }
+          aws-region: ${ vars.AWS_REGION }
+      - run: |
+          aws ssm send-command \
+            --instance-ids "${ vars.AURAPAN_INSTANCE_ID }" \
+            --document-name "AWS-RunShellScript" \
+            --comment "rollout client" \
+            --parameters 'commands=["kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml rollout restart deployment client-depl"]'
diff --git a/.github/workflows/deploy-expiration.yaml b/.github/workflows/deploy-expiration.yaml
@@ -1,44 +1,52 @@
-name: deploy-expiration
-
-on:
-  push:
-    # watch for pull request into main branch
-    branches:
-      - main
-
-    # watch for changes in expiration folder
-    paths:
-      - "expiration/**"
-      - "trigger-deploy.txt"
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      # build an image
-      - run: cd expiration && docker build -t thasup/expiration .
-
-      # login on docker hub
-      - run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-
-      # push an image to docker hub
-      - run: docker push thasup/expiration
-
-      # use and cliententicate doctl
-      - uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-
-      # give credential to k8s cluster
-      - run: doctl kubernetes cluster kubeconfig save aurapan-cluster
-
-      # restart deployment
-      - run: kubectl rollout restart deployment expiration-depl
+name: deploy-expiration
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "expiration/**"
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${ secrets.DOCKER_USERNAME }
+          password: ${ secrets.DOCKER_PASSWORD }
+
+      # Multi-arch so the image runs on both x86 and the Graviton (arm64)
+      # EC2 node provisioned by infra/terraform.
+      - uses: docker/build-push-action@v6
+        with:
+          context: expiration
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: thasup/expiration:latest
+
+  # Restarts the deployment on the AWS k3s node via SSM. Runs only when the
+  # repository variables AWS_REGION and AURAPAN_INSTANCE_ID are configured
+  # (plus AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secrets).
+  rollout:
+    needs: build
+    if: vars.AWS_REGION != '' && vars.AURAPAN_INSTANCE_ID != ''
+    runs-on: ubuntu-latest
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${ secrets.AWS_ACCESS_KEY_ID }
+          aws-secret-access-key: ${ secrets.AWS_SECRET_ACCESS_KEY }
+          aws-region: ${ vars.AWS_REGION }
+      - run: |
+          aws ssm send-command \
+            --instance-ids "${ vars.AURAPAN_INSTANCE_ID }" \
+            --document-name "AWS-RunShellScript" \
+            --comment "rollout expiration" \
+            --parameters 'commands=["kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml rollout restart deployment expiration-depl"]'
diff --git a/.github/workflows/deploy-manifests.yaml b/.github/workflows/deploy-manifests.yaml
@@ -1,32 +1,30 @@
-name: deploy-manifests
-
-on:
-  push:
-    # watch for pull request into main branch
-    branches:
-      - main
-
-    # watch for changes in infra folder
-    paths:
-      - "infra/**"
-      - "trigger-manifest.txt"
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      # use and cliententicate doctl
-      - uses: digitalocean/action-doctl@v2
-        with:
-          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
-
-      # use and cliententicate doctl
-      - run: doctl kubernetes cluster kubeconfig save aurapan-cluster
-
-      # apply deployment yaml files (k8s-prod is for production!)
-      - run: kubectl apply -f infra/k8s && kubectl apply -f infra/k8s-prod
+name: deploy-manifests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "infra/k8s/**"
+      - "infra/k8s-aws/**"
+      - "infra/k8s-local-db/**"
+  workflow_dispatch:
+
+jobs:
+  # Re-applies the manifests on the AWS k3s node via SSM. Runs only when the
+  # repository variables AWS_REGION and AURAPAN_INSTANCE_ID are configured.
+  apply:
+    if: vars.AWS_REGION != '' && vars.AURAPAN_INSTANCE_ID != ''
+    runs-on: ubuntu-latest
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: |
+          aws ssm send-command \
+            --instance-ids "${{ vars.AURAPAN_INSTANCE_ID }}" \
+            --document-name "AWS-RunShellScript" \
+            --comment "apply k8s manifests" \
+            --parameters 'commands=["cd /opt/aurapan && git pull && KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl apply -f infra/k8s -f infra/k8s-local-db"]'