scp overwrites in place, which fails with ETXTBSY ("text file busy") on
repeat deploys because systemd is executing /usr/local/bin/share-svc.
Copy to a temp path, chmod, then mv it over the destination so rename(2)
swaps the dir entry without touching the busy inode.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Storing the raw PEM as a secret mangled it (CRLF/whitespace/newline),
causing ssh to fail with "error in libcrypto" at the copy step. Store the
key base64-encoded and decode it in the workflow so the PEM round-trips
intact.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Build the frontend and the Go share-service, rsync/scp both to the Caddy
host, and restart share-svc + reload caddy. Triggers on push to master
(and manual dispatch). Requires a DEPLOY_SSH_KEY secret; host/user/paths
default to the Justfile values and are overridable via repo variables.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>