From f03938c2f2b214bf22a681aae85762ec77508075 Mon Sep 17 00:00:00 2001
From: Cliff Hill <xlorep@darkhelm.org>
Date: Mon, 27 Oct 2025 08:59:27 -0400
Subject: [PATCH] Cleaning up the CICD steps.

Signed-off-by: Cliff Hill <xlorep@darkhelm.org>
---
 .gitea/workflows/cicd.yml | 36 +++++++-----------------------------
 Dockerfile.cicd           | 24 ++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/.gitea/workflows/cicd.yml b/.gitea/workflows/cicd.yml
index 98d7f09..7ffe0ac 100644
--- a/.gitea/workflows/cicd.yml
+++ b/.gitea/workflows/cicd.yml
@@ -12,42 +12,20 @@ jobs:
     runs-on: ubuntu-act
 
     steps:
-      - name: Checkout code
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          GITHUB_WORKSPACE: ${{ github.workspace }}
-          GITHUB_SHA: ${{ github.sha }}
-        run: |
-          echo "=== Repository Checkout ==="
-          cd "${GITHUB_WORKSPACE}"
-          rm -rf ./* .git 2>/dev/null || true
-
-          # Set up SSH key
-          if [ -n "${SSH_PRIVATE_KEY}" ]; then
-            mkdir -p ~/.ssh
-            echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa
-            chmod 600 ~/.ssh/id_rsa
-            ssh-keyscan -p 2222 dogar.darkhelm.org >> ~/.ssh/known_hosts 2>/dev/null
-          fi
-
-          # Clone repository
-          GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no" \
-            git clone --depth 1 --branch main \
-            ssh://git@dogar.darkhelm.org:2222/DarkHelm.org/plex-playlist.git .
-
-          if [ -n "${GITHUB_SHA}" ]; then
-            git checkout "${GITHUB_SHA}" 2>/dev/null || echo "Using main branch HEAD"
-          fi
-          echo "✓ Repository checkout completed"
-
       - name: Build and push CICD image
         env:
           GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+          GITHUB_SHA: ${{ github.sha }}
         run: |
           echo "=== Building CICD Image ==="
 
           # Build CICD image with all tools, code, and dependencies
-          docker build -f Dockerfile.cicd -t cicd:latest .
+          # Pass SSH key as build arg so Dockerfile can checkout repo
+          docker build -f Dockerfile.cicd \
+            --build-arg SSH_PRIVATE_KEY="$SSH_PRIVATE_KEY" \
+            --build-arg GITHUB_SHA="$GITHUB_SHA" \
+            -t cicd:latest .
 
           # Tag for Gitea container registry
           docker tag cicd:latest dogar.darkhelm.org/darkhelm.org/plex-playlist/cicd:latest
diff --git a/Dockerfile.cicd b/Dockerfile.cicd
index e96e7e9..cdedd38 100644
--- a/Dockerfile.cicd
+++ b/Dockerfile.cicd
@@ -32,11 +32,31 @@ RUN corepack enable \
 # Install uv package manager globally
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
 
+# Accept build arguments for Git checkout
+ARG SSH_PRIVATE_KEY
+ARG GITHUB_SHA
+
 # Set working directory
 WORKDIR /workspace
 
-# Copy the entire project
-COPY . .
+# Set up SSH and clone repository
+RUN if [ -n "$SSH_PRIVATE_KEY" ]; then \
+        mkdir -p ~/.ssh && \
+        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa && \
+        chmod 600 ~/.ssh/id_rsa && \
+        ssh-keyscan -p 2222 dogar.darkhelm.org >> ~/.ssh/known_hosts 2>/dev/null; \
+    fi
+
+# Clone repository
+RUN GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no" \
+    git clone --depth 1 --branch main \
+    ssh://git@dogar.darkhelm.org:2222/DarkHelm.org/plex-playlist.git . && \
+    if [ -n "$GITHUB_SHA" ]; then \
+        git checkout "$GITHUB_SHA" 2>/dev/null || echo "Using main branch HEAD"; \
+    fi
+
+# Clean up SSH key for security
+RUN rm -rf ~/.ssh
 
 # Set up Python environment for backend
 WORKDIR /workspace/backend