[hotfix] Standardise db creds

[gocanto]

Summary by CodeRabbit

• Chores
  • Standardized environment variable and secret names for database credentials across configuration files.
  • Updated Docker Compose service definitions to use new secret names and added explicit image tags for certain services.
  • Introduced new example environment configuration files for production and GitHub environments.
  • Refined deployment workflow to build production images via CI and renamed workflow steps for clarity.
  • Added new Makefile targets to support CI builds and streamlined environment variable usage in build commands.
  • Updated local environment example with new Docker user and group variables.

[coderabbitai]

Walkthrough

This update standardizes environment variable and secret naming conventions for database credentials across configuration files, including Docker Compose and build scripts. It introduces new example environment files for production and GitHub environments, renames secret references and environment variables, adds explicit image tags to certain services in Docker Compose, and modifies the CI workflow to build release images using new Makefile targets. Additionally, the local environment example file was extended with Docker user and group variables.

Changes

File(s)	Change Summary
.env.prod.example, .env.gh.example	Added new example environment files defining Caddy logs directory, database secret paths, Docker user/group, and HTTP port variables.
.env.example	Added Docker local environment variables ENV_DOCKER_USER and ENV_DOCKER_USER_GROUP.
config/makefile/build.mk	Added build:ci and build:deploy targets; renamed database secret environment variables to standardized DB_SECRET_* names; deprecated build:prod.
docker-compose.yml	Renamed PostgreSQL secrets and related environment variables; updated all service references accordingly; added explicit image tags for caddy_prod and api; minor formatting adjustments.
database/infra/scripts/healthcheck.sh	Updated secret file paths for database user and name to use new standardized secret names.
.github/workflows/deploy.yml	Renamed workflow step to run make build:ci instead of build:prod; updated step names for clarity without changing actions.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant EnvProd as .env.prod.example
    participant EnvGH as .env.gh.example
    participant EnvLocal as .env.example
    participant Make as build.mk
    participant Compose as docker-compose.yml
    participant HealthCheck as healthcheck.sh
    participant CI as GitHub Actions Deploy Workflow
    participant API as API Service
    participant DB as Database

    Dev->>EnvProd: Reference production env template variables
    Dev->>EnvGH: Reference GitHub env template variables
    Dev->>EnvLocal: Reference local Docker user/group env variables
    Dev->>Make: Run build:ci (uses standardized DB_SECRET_* vars)
    Make->>Compose: Pass standardized secret env vars to Docker Compose
    Compose->>API: Injects DB_SECRET_* variables
    API->>DB: Uses secrets for DB connection
    HealthCheck->>DB: Reads secrets from updated secret file paths
    CI->>Make: Trigger build:ci after updated workflow steps

Loading

Possibly related PRs

• [feature] Caddy: Track logs + Timeouts #46: Adds CADDY_LOGS_PATH to .env.example and mounts it in Docker Compose for Caddy logs; related to environment variables for Caddy logs but uses different variable names and scope.

Poem

🐇 In configs deep, a fresh new tune,
Secrets renamed beneath the moon.
.env.prod shows the way,
Docker users join the play.
Compose files tagged with care,
Builds and workflows now aware! 🌿✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e2567d7 and 91a9c93.

📒 Files selected for processing (2)

• .env.gh.example (1 hunks)
• database/infra/scripts/healthcheck.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .env.gh.example

🚧 Files skipped from review as they are similar to previous changes (1)

• database/infra/scripts/healthcheck.sh

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

database/infra/scripts/healthcheck.sh (1)

7-8: Trim trailing newline from secrets to avoid subtle failures

cat preserves the trailing newline usually present in Docker secrets. pg_isready treats \n literally, so authentication may fail with “role "\n" does not exist”.

-DB_USER=$(cat /run/secrets/pg_username)
-DB_NAME=$(cat /run/secrets/pg_dbname)
+read -r DB_USER < /run/secrets/pg_username
+read -r DB_NAME < /run/secrets/pg_dbname

read -r cleanly strips the newline without spawning an extra subshell, keeping the script POSIX-sh portable and a bit faster.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0d6f784 and 3415de0.

📒 Files selected for processing (2)

• database/infra/scripts/healthcheck.sh (1 hunks)
• docker-compose.yml (7 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docker-compose.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/deploy.yml (2)

53-59: Harden the directory-listing debug step
ls -la ./storage/logs will fail the job if that directory isn’t present in a fresh checkout (very common in CI). Either make the command tolerant to absence or wrap it with a conditional.

-          ls -la ./storage/logs
+          [ -d ./storage/logs ] && ls -la ./storage/logs || echo "storage/logs does not exist"

---

60-62: Ensure Docker Compose plugin is available
docker compose --profile prod config relies on the Compose CLI plugin being pre-installed on the runner. While GitHub’s default runners currently bundle it, that guarantee isn’t explicit.
Consider adding an explicit installation (e.g., docker/setup-buildx-action with install: true or a separate docker/setup-qemu-action) or at least a docker compose version sanity check so the failure mode is clearer.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3415de0 and 89ea4c5.

📒 Files selected for processing (2)

• .env.example (1 hunks)
• .github/workflows/deploy.yml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .env.example

[gocanto]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.