# Deploy Gate (Gitea)

## Purpose

`deploy-node1-runtime` is a hard release gate for NODA1 runtime changes:

1. `deploy` job syncs target git ref on NODA1 (and can optionally rebuild `gateway` + `experience-learner`).
2. `phase6_gate` job runs `make phase6-smoke` on NODA1.
3. If `phase6_gate` fails, the workflow fails.

This prevents a deploy from being considered successful without a Phase-6 closed-loop smoke pass.

## Workflow

File: `.gitea/workflows/deploy-node1-runtime.yml`

Manual trigger inputs:

- `deploy_ref` (default: `main`)
- `redeploy_runtime` (default: `false`)
- `ssh_host` (optional override)
- `ssh_user` (optional override, default `root`)

Required repo secrets:

- `NODA1_SSH_HOST`
- `NODA1_SSH_USER`
- `NODA1_SSH_KEY`

## Safety notes

- `redeploy_runtime=false` only syncs git on NODA1 and runs gate checks.
- `redeploy_runtime=true` recreates `gateway` and `experience-learner` containers.
- If NODA1 git tree is dirty, workflow skips checkout/pull and still enforces `phase6_gate` (safe mode for live nodes).
- If NODA1 `origin` remote is not the expected deploy-safe repo, workflow skips checkout/pull and still enforces `phase6_gate` (prevents accidental downgrade from a stale remote).
- Workflow uses SSH key validation and `IdentitiesOnly=yes` to avoid host key collisions.

## Expected PASS

- `deploy` job: successful SSH sync of selected `deploy_ref`.
- `phase6_gate` job: `make phase6-smoke` returns PASS.
- Workflow conclusion: `success`.

## Failure handling

- SSH/network issues: one retry is attempted in gate step.
- Gate FAIL: treat as release blocker, inspect `artifacts/phase6-gate*.log`.