From ff6ecf950725f7b98f16418684d231192695d1c6 Mon Sep 17 00:00:00 2001
From: Ludovic Bouchard <ludovicb1239@gmail.com>
Date: Tue, 17 Mar 2026 00:57:34 +0100
Subject: [PATCH] other changes

---
 .gitea/workflows/deploy.yml | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index b2ae03c..5e5b1bf 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -30,5 +30,29 @@ jobs:
       - name: Deploy locally to Nginx root
         run: |
           set -eu
-          test -d /deploy/portfolio
-          rsync -az --delete public/ /deploy/portfolio/
\ No newline at end of file
+          DEPLOY_TARGET="/deploy/portfolio"
+
+          # Defense in depth: only deploy from the expected repo/branch.
+          [ "${GITHUB_REPOSITORY:-}" = "ludovic/portfolio-website" ] || {
+            echo "Refusing deploy: unexpected repository '${GITHUB_REPOSITORY:-}'"
+            exit 1
+          }
+          [ "${GITHUB_REF:-}" = "refs/heads/main" ] || {
+            echo "Refusing deploy: unexpected ref '${GITHUB_REF:-}'"
+            exit 1
+          }
+
+          if [ ! -d "$DEPLOY_TARGET" ]; then
+            echo "Deploy target '$DEPLOY_TARGET' does not exist in runner container."
+            echo "Bind-mount host '/var/www/portfolio' to '$DEPLOY_TARGET' in the Gitea runner container."
+            ls -la /deploy || true
+            exit 1
+          fi
+
+          if [ ! -w "$DEPLOY_TARGET" ]; then
+            echo "Deploy target '$DEPLOY_TARGET' is not writable by runner user."
+            ls -ld "$DEPLOY_TARGET" || true
+            exit 1
+          fi
+
+          rsync -az --delete public/ "$DEPLOY_TARGET/"
\ No newline at end of file