ci: production deploy job#9
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0bf9dfa. Configure here.
| .github/ | ||
| test/ | ||
| docs/ | ||
| *.sqlite |
There was a problem hiding this comment.
SQLite WAL files unprotected from rsync deletion
Medium Severity
deploy.exclude only excludes *.sqlite, but rsync with --delete-delay also removes destination files that aren't present in the source and aren't covered by an exclude rule. SQLite's WAL mode produces *.sqlite-wal and *.sqlite-shm companion files alongside the main database. Because those patterns are missing from deploy.exclude, every rsync deploy will delete them from the VPS if they exist, which can corrupt the live database mid-operation.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0bf9dfa. Configure here.
1 participant
Note
Medium Risk
Introduces an automated production deploy pipeline using SSH password-based rsync and branch-based gating; misconfiguration could cause accidental deployments or overwrite server state despite exclusions.
Overview
Adds a production Deploy GitHub Actions workflow that triggers after successful CI on pushes to
master(or manual dispatch), builds the app, reinstalls production-only deps, and rsyncs the result to a VPS using secrets anddeploy.exclude.Updates CI to pin Bun via
.bun-version(and upgradessetup-buntov2), adds astart:watchproduction script, and documents one-time deployment/server setup indocs/deploy.md/README.Reviewed by Cursor Bugbot for commit 0bf9dfa. Bugbot is set up for automated code reviews on this repo. Configure here.