Moving to github

.github/WHAT_TO_COMMIT.md

@@ -0,0 +1,185 @@
+# What to Commit to GitHub (Open Source)
+
+Quick reference for what should and shouldn't be committed to the public GitHub repository.
+
+## ✅ Safe to Commit
+
+### Source Code
+- ✅ All Ruby files (`app/`, `lib/`, `config/`)
+- ✅ `Gemfile` and `Gemfile.lock`
+- ✅ Controllers, models, views
+- ✅ Migrations (don't contain secrets)
+- ✅ Seeds (use fake/example data only)
+
+### Configuration
+- ✅ `config/database.yml` (uses ENV vars)
+- ✅ `config/routes.rb`
+- ✅ `config/environments/*.rb`
+- ✅ `.env.example` (template only)
+- ✅ `Dockerfile`
+- ✅ `docker-compose.yml` (development version)
+
+### Kubernetes
+- ✅ `k8s/deployment.yaml` (with placeholder image)
+- ✅ `k8s/service.yaml`
+- ✅ `k8s/ingress.yaml`
+- ✅ `k8s/configmap.yaml` (example values)
+- ✅ `k8s/namespace.yaml`
+- ✅ `k8s/migrate-job.yaml`
+- ✅ `k8s/*.yaml.example` (all templates)
+- ✅ `k8s/README.md`
+- ✅ `k8s/GITEA_SETUP.md`
+
+### GitHub Actions
+- ✅ `.github/workflows/*.yml`
+- ✅ `.github/SECRETS_SETUP.md`
+- ✅ `.github/WHAT_TO_COMMIT.md` (this file!)
+
+### Documentation
+- ✅ `README.md`
+- ✅ `LICENSE`
+- ✅ `DEPLOYMENT.md`
+- ✅ `API_DOCUMENTATION.md`
+- ✅ All other `.md` files
+
+### Assets
+- ✅ JavaScript controllers
+- ✅ CSS/Tailwind files
+- ✅ Images, icons
+
+### Testing
+- ✅ `test/` directory
+- ✅ Test fixtures
+- ✅ `.rubocop.yml`
+
+## ❌ Never Commit (Already Gitignored)
+
+### Secrets & Credentials
+- ❌ `.env` (actual environment variables)
+- ❌ `k8s/secrets.yaml` (actual Kubernetes secrets)
+- ❌ `config/master.key`
+- ❌ `config/credentials/*.key`
+- ❌ Any file containing passwords, tokens, or API keys
+
+### Generated Files
+- ❌ `log/*.log`
+- ❌ `tmp/**`
+- ❌ `public/assets/**` (compiled assets)
+- ❌ `node_modules/`
+- ❌ `coverage/`
+- ❌ `.byebug_history`
+
+### Database
+- ❌ `*.sqlite3`
+- ❌ Database dumps
+- ❌ `dump.rdb`
+
+### Local Environment
+- ❌ `.DS_Store`
+- ❌ `.idea/` (IDE files)
+- ❌ `.vscode/`
+- ❌ `*.swp`, `*.swo`
+
+### Docker
+- ❌ `docker-compose.override.yml` (local overrides)
+
+## 🔍 Current .gitignore
+
+Your `.gitignore` file already covers all sensitive files:
+
+```gitignore
+/.env
+/.env.local
+/config/master.key
+k8s/secrets.yaml
+k8s/sealed-secrets.yaml
+```
+
+These patterns prevent accidental commits of secrets.
+
+## 🛡️ Double Check Before Pushing
+
+Before pushing to GitHub, always verify:
+
+```bash
+# Check what will be committed
+git status
+
+# Review changes
+git diff
+
+# Ensure no secrets
+grep -r "password\|token\|secret\|key" --include="*.rb" --include="*.yml" | grep -v ".example"
+```
+
+## ⚠️ If You Accidentally Commit a Secret
+
+1. **Immediately revoke the secret** (regenerate token, change password)
+2. Remove from git history:
+   ```bash
+   git filter-branch --force --index-filter \
+     'git rm --cached --ignore-unmatch path/to/file' \
+     --prune-empty --tag-name-filter cat -- --all
+   ```
+3. Force push: `git push origin main --force`
+4. Rotate all credentials
+5. Consider the secret compromised
+
+Better: Use [BFG Repo-Cleaner](https://rtyley.github.io/bfg-repo-cleaner/) or GitHub's secret scanning.
+
+## 📦 What Gets Built vs What Gets Committed
+
+### Committed to GitHub (Source)
+```
+Source Code (.rb, .js, .css)
+    ↓
+Configuration Templates (.example files)
+    ↓
+Kubernetes Manifests (with placeholders)
+    ↓
+Documentation (.md files)
+```
+
+### Built by GitHub Actions (Artifacts)
+```
+Source Code
+    ↓
+Docker Build
+    ↓
+Docker Image
+    ↓
+Pushed to Gitea Registry (PRIVATE)
+    ↓
+Deployed to Kubernetes
+```
+
+## 🔄 Workflow
+
+1. **Code** → Push to GitHub (public)
+2. **GitHub Actions** → Build Docker image
+3. **GitHub Actions** → Push to Gitea (private)
+4. **Kubernetes** → Pull from Gitea
+5. **Deploy** → Run your app
+
+## ✨ Summary
+
+| Item | GitHub | Gitea | k8s |
+|------|--------|-------|-----|
+| Source Code | ✅ Public | 🔄 Mirror | ❌ |
+| Docker Images | ❌ | ✅ Private | 🔽 Pull |
+| Secrets | ❌ | ❌ | ✅ Encrypted |
+| Documentation | ✅ Public | 🔄 Mirror | ❌ |
+| k8s Manifests | ✅ Templates | ❌ | ✅ Applied |
+
+## Questions?
+
+- "Can I commit database.yml?" → ✅ Yes (if it uses ENV vars, not hardcoded passwords)
+- "Can I commit Dockerfile?" → ✅ Yes (it's build instructions, not secrets)
+- "Can I commit my .env?" → ❌ NO! Use .env.example
+- "Can I commit k8s/secrets.yaml?" → ❌ NO! Use secrets.yaml.example
+- "Should I commit migrations?" → ✅ Yes
+- "Should I commit seeds.rb?" → ✅ Yes (but use fake data, not real user data)
+
+---
+
+**Remember:** When in doubt, don't commit. You can always add files later, but removing secrets from history is painful.