- Automatically creates ghcr-creds secret in the appropriate namespace if missing

- Adds branch pattern triggers for k8s/** and scripts/** to enable CI/CD from infra or automation-related updates
- Improves workflow robustness and flexibility for feature and tooling branches

.github/workflows/build-and-deploy.yaml

@@ -17,6 +17,10 @@ env:
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
 
     steps:
       - name: Checkout code
@@ -38,6 +42,7 @@ jobs:
         run: |
           mkdir -p $HOME/.kube
           echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > $HOME/.kube/config
+          chmod 600 ~/.kube/config
         shell: bash
 
       - name: Detect container name

k8s/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: prod
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: homepage
+  namespace: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: homepage
+  template:
+    metadata:
+      labels:
+        app: homepage
+    spec:
+      containers:
+        - name: homepage
+          image: ghcr.io/kebrahimpour/avisenna-landing-page:latest
+          ports:
+            - containerPort: 80
+          imagePullPolicy: Always
+      imagePullSecrets:
+        - name: ghcr-creds
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: homepage
+  namespace: prod
+spec:
+  selector:
+    app: homepage
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  type: ClusterIP

scripts/update-github-secrets.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -euo pipefail
+
+REPO="kebrahimpour/avisenna-landing-page"
+GHCR_PAT="${GHCR_PAT:-}"
+TOKEN_SOURCE=""
+
+# Try env or fallback to file
+if [[ -z "$GHCR_PAT" ]]; then
+  TOKEN_PATH="$HOME/.secrets/g-token.txt"
+  if [[ -f "$TOKEN_PATH" ]]; then
+    GHCR_PAT=$(<"$TOKEN_PATH")
+    TOKEN_SOURCE="file"
+  fi
+else
+  TOKEN_SOURCE="env"
+fi
+
+if [[ -z "$GHCR_PAT" ]]; then
+  echo "❌ GHCR_PAT not found. Set as env or in ~/.secrets/g-token.txt"
+  exit 1
+fi
+
+echo "🔐 Using GHCR_PAT from $TOKEN_SOURCE"
+gh secret set GHCR_PAT --repo "$REPO" --body "$GHCR_PAT"
+echo "✅ GHCR_PAT updated"
+
+KCFG="$HOME/.kube/github-kubeconfig.yaml"
+if [[ ! -f "$KCFG" ]]; then
+  echo "❌ Kubeconfig not found at $KCFG"
+  exit 1
+fi
+
+ENCODED_KCFG=$(base64 -w 0 "$KCFG")
+gh secret set KUBECONFIG_B64 --repo "$REPO" --body "$ENCODED_KCFG"
+echo "✅ KUBECONFIG_B64 updated"

scripts/update-kubeconfig-secret.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+set -euo pipefail
+
+REPO="kebrahimpour/avisenna-landing-page"
+SECRET_NAME="KUBECONFIG_BASE64"
+SERVER="https://85.214.94.62:6443"
+
+echo "📦 Generating kubeconfig for GitHub Actions..."
+
+# Get secret associated with service account
+SECRET_NAME_REF=$(kubectl -n web get sa deploy-bot -o jsonpath="{.secrets[0].name}")
+TOKEN=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data.token}" | base64 -d)
+CA_CERT=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data['ca\\.crt']}" | base64 -d)
+
+mkdir -p .kube
+
+# Generate kubeconfig
+cat <<EOF > .kube/github-kubeconfig.yaml
+apiVersion: v1
+kind: Config
+clusters:
+- name: github-deploy
+  cluster:
+    certificate-authority-data: $(echo "$CA_CERT" | base64 -w 0)
+    server: $SERVER
+contexts:
+- name: github-deploy-context
+  context:
+    cluster: github-deploy
+    namespace: web
+    user: deploy-bot
+current-context: github-deploy-context
+users:
+- name: deploy-bot
+  user:
+    token: $TOKEN
+EOF
+
+# Encode and push secret to GitHub
+ENCODED=$(base64 -w 0 .kube/github-kubeconfig.yaml)
+
+echo "🔐 Updating GitHub secret $SECRET_NAME..."
+gh secret set $SECRET_NAME --repo "$REPO" --body "$ENCODED"
+
+echo "✅ KUBECONFIG_BASE64 updated and ready."