From 549f4a1510cdd50a346dce8651936911cb0287a3 Mon Sep 17 00:00:00 2001
From: "Torsten Schulz (local)" <tsschulz@gmx.net>
Date: Wed, 20 May 2026 12:53:46 +0200
Subject: [PATCH] ci: add production version check for PRs

---
 .gitea/workflows/code-analysis.yml    | 11 +++++++++
 scripts/check-version-against-prod.sh | 35 +++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 scripts/check-version-against-prod.sh

diff --git a/.gitea/workflows/code-analysis.yml b/.gitea/workflows/code-analysis.yml
index ed65731..eac458c 100644
--- a/.gitea/workflows/code-analysis.yml
+++ b/.gitea/workflows/code-analysis.yml
@@ -34,6 +34,17 @@ jobs:
       - name: Check package.json version changed
         run: scripts/check-package-version-changed.sh origin/main
 
+      - name: Check version against production (PRs only)
+        if: github.event_name == 'pull_request'
+        env:
+          PROD_HOST: ${{ vars.PROD_HOST }}
+          PROD_USER: ${{ vars.PROD_USER }}
+          PROD_PORT: ${{ vars.PROD_PORT }}
+          PROD_SSH_KEY: ${{ secrets.PROD_SSH_KEY }}
+        run: |
+          chmod +x scripts/check-version-against-prod.sh
+          scripts/check-version-against-prod.sh
+
       - name: gitleaks (Secrets Scanning)
         run: |
           # Try to get the latest release asset URL
diff --git a/scripts/check-version-against-prod.sh b/scripts/check-version-against-prod.sh
new file mode 100644
index 0000000..c1d4fab
--- /dev/null
+++ b/scripts/check-version-against-prod.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script compares local package.json version with the version deployed on the production host.
+# It expects these environment variables to be set in the CI environment:
+# - PROD_HOST, PROD_USER, PROD_PORT
+# - PROD_SSH_KEY (the private key)
+
+if [ -z "${PROD_HOST:-}" ] || [ -z "${PROD_USER:-}" ] || [ -z "${PROD_PORT:-}" ]; then
+  echo "Missing PROD_HOST / PROD_USER / PROD_PORT environment variables"
+  exit 1
+fi
+
+if [ -z "${PROD_SSH_KEY:-}" ]; then
+  echo "Missing PROD_SSH_KEY secret"
+  exit 1
+fi
+
+mkdir -p ~/.ssh
+printf "%s" "$PROD_SSH_KEY" > ~/.ssh/id_ed25519
+chmod 600 ~/.ssh/id_ed25519
+
+LOCAL_VERSION=$(node -p "require('./package.json').version")
+echo "Local package.json version: $LOCAL_VERSION"
+
+# Fetch remote package.json version (graceful fallback to 0.0.0)
+REMOTE_VERSION=$(ssh -i ~/.ssh/id_ed25519 -p "$PROD_PORT" -o BatchMode=yes -o StrictHostKeyChecking=no "$PROD_USER@$PROD_HOST" \
+  "grep '\"version\"' /var/www/harheimertc/package.json | head -1 | sed -E 's/.*\"version\":\s*\"([^\"]+)\".*/\\1/' || echo '0.0.0'")
+
+echo "Remote production version: $REMOTE_VERSION"
+
+# Compare versions using a small Node helper (semantic-ish: numeric dot-separated)
+NODE_COMPARE="const a=process.env.LOCAL||'0.0.0'; const b=process.env.REMOTE||'0.0.0'; function cmp(x,y){const px=x.split('.').map(n=>parseInt(n||0,10)); const py=y.split('.').map(n=>parseInt(n||0,10)); const len=Math.max(px.length,py.length); for(let i=0;i<len;i++){const A=px[i]||0; const B=py[i]||0; if(A>B) return 1; if(A<B) return -1;} return 0;} const r=cmp(a,b); if(r<=0){ console.error(`Local version ${a} is not greater than production version ${b}`); process.exit(1);} else { console.log(`Local version ${a} is greater than production version ${b}`); process.exit(0);}"
+
+LOCAL="$LOCAL_VERSION" REMOTE="$REMOTE_VERSION" node -e "$NODE_COMPARE"