other changes

.gitea/workflows/deploy.yml

@@ -30,5 +30,29 @@ jobs:
       - name: Deploy locally to Nginx root
         run: |
           set -eu
-          test -d /deploy/portfolio
-          rsync -az --delete public/ /deploy/portfolio/
+          DEPLOY_TARGET="/deploy/portfolio"
+
+          # Defense in depth: only deploy from the expected repo/branch.
+          [ "${GITHUB_REPOSITORY:-}" = "ludovic/portfolio-website" ] || {
+            echo "Refusing deploy: unexpected repository '${GITHUB_REPOSITORY:-}'"
+            exit 1
+          }
+          [ "${GITHUB_REF:-}" = "refs/heads/main" ] || {
+            echo "Refusing deploy: unexpected ref '${GITHUB_REF:-}'"
+            exit 1
+          }
+
+          if [ ! -d "$DEPLOY_TARGET" ]; then
+            echo "Deploy target '$DEPLOY_TARGET' does not exist in runner container."
+            echo "Bind-mount host '/var/www/portfolio' to '$DEPLOY_TARGET' in the Gitea runner container."
+            ls -la /deploy || true
+            exit 1
+          fi
+
+          if [ ! -w "$DEPLOY_TARGET" ]; then
+            echo "Deploy target '$DEPLOY_TARGET' is not writable by runner user."
+            ls -ld "$DEPLOY_TARGET" || true
+            exit 1
+          fi
+
+          rsync -az --delete public/ "$DEPLOY_TARGET/"