fix: staging deployment configuration and redis secrets handling

docker-compose.staging.yml

@@ -48,11 +48,13 @@ services:
       - QUEUE_DRIVER=redis
       - QUEUE_CONNECTION=default
       # Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
-      - DB_PASSWORD_FILE=/run/secrets/db_user_password
-      - REDIS_PASSWORD_FILE=/run/secrets/redis_password
-      - APP_KEY_FILE=/run/secrets/app_key
-      - VAULT_ENCRYPTION_KEY_FILE=/run/secrets/vault_encryption_key
-      - GIT_TOKEN_FILE=/run/secrets/git_token
+      # Note: These paths will be set by the entrypoint script after copying secrets
+      # to /var/www/html/storage/secrets/ for www-data access
+      - DB_PASSWORD_FILE=/var/www/html/storage/secrets/db_user_password
+      - REDIS_PASSWORD_FILE=/var/www/html/storage/secrets/redis_password
+      - APP_KEY_FILE=/var/www/html/storage/secrets/app_key
+      - VAULT_ENCRYPTION_KEY_FILE=/var/www/html/storage/secrets/vault_encryption_key
+      - GIT_TOKEN_FILE=/var/www/html/storage/secrets/git_token
     volumes:
       - staging-code:/var/www/html
       - staging-storage:/var/www/html/storage
@@ -70,6 +72,55 @@ services:
     command:
       - |
         
+        # Copy Docker Secrets to readable location for www-data
+        # Docker Secrets are only readable by root, but PHP (www-data) needs to read them.
+        # We copy them here as root to a location where www-data can read them.
+        echo "🔐 Setting up Docker Secrets for PHP access..."
+        SECRETS_DIR="/var/www/html/storage/secrets"
+        mkdir -p "$SECRETS_DIR"
+        chmod 750 "$SECRETS_DIR"
+        chown www-data:www-data "$SECRETS_DIR"
+        
+        if [ -f /run/secrets/redis_password ]; then
+          cp /run/secrets/redis_password "$SECRETS_DIR/redis_password" 2>/dev/null || true
+          chmod 640 "$SECRETS_DIR/redis_password"
+          chown www-data:www-data "$SECRETS_DIR/redis_password"
+          export REDIS_PASSWORD_FILE="$SECRETS_DIR/redis_password"
+          echo "✅ Copied redis_password to $SECRETS_DIR/redis_password"
+        fi
+        
+        if [ -f /run/secrets/db_user_password ]; then
+          cp /run/secrets/db_user_password "$SECRETS_DIR/db_user_password" 2>/dev/null || true
+          chmod 640 "$SECRETS_DIR/db_user_password"
+          chown www-data:www-data "$SECRETS_DIR/db_user_password"
+          export DB_PASSWORD_FILE="$SECRETS_DIR/db_user_password"
+          echo "✅ Copied db_user_password to $SECRETS_DIR/db_user_password"
+        fi
+        
+        if [ -f /run/secrets/app_key ]; then
+          cp /run/secrets/app_key "$SECRETS_DIR/app_key" 2>/dev/null || true
+          chmod 640 "$SECRETS_DIR/app_key"
+          chown www-data:www-data "$SECRETS_DIR/app_key"
+          export APP_KEY_FILE="$SECRETS_DIR/app_key"
+          echo "✅ Copied app_key to $SECRETS_DIR/app_key"
+        fi
+        
+        if [ -f /run/secrets/vault_encryption_key ]; then
+          cp /run/secrets/vault_encryption_key "$SECRETS_DIR/vault_encryption_key" 2>/dev/null || true
+          chmod 640 "$SECRETS_DIR/vault_encryption_key"
+          chown www-data:www-data "$SECRETS_DIR/vault_encryption_key"
+          export VAULT_ENCRYPTION_KEY_FILE="$SECRETS_DIR/vault_encryption_key"
+          echo "✅ Copied vault_encryption_key to $SECRETS_DIR/vault_encryption_key"
+        fi
+        
+        if [ -f /run/secrets/git_token ]; then
+          cp /run/secrets/git_token "$SECRETS_DIR/git_token" 2>/dev/null || true
+          chmod 640 "$SECRETS_DIR/git_token"
+          chown www-data:www-data "$SECRETS_DIR/git_token"
+          export GIT_TOKEN_FILE="$SECRETS_DIR/git_token"
+          echo "✅ Copied git_token to $SECRETS_DIR/git_token"
+        fi
+        
         # Fix Git ownership issue
         # Ensure Git treats the mounted repository as safe regardless of owner
         git config --global --add safe.directory /var/www/html 2>/dev/null || true
@@ -138,9 +189,14 @@ services:
         find /var/www/html/storage /var/www/html/bootstrap/cache -type d -exec chmod 775 {} \; 2>/dev/null || true
         find /var/www/html/storage /var/www/html/bootstrap/cache -type f -exec chmod 664 {} \; 2>/dev/null || true
         
+        # Keep PHP-FPM secure with clear_env = yes (default)
+        # The *_FILE environment variables are passed explicitly via docker-compose environment section
+        # PHP's DockerSecretsResolver will read the secrets from the files specified in *_FILE vars
+        
         # Start PHP-FPM only (no nginx)
         echo ""
         echo "🚀 Starting PHP-FPM..."
+        echo "REDIS_PASSWORD_FILE: ${REDIS_PASSWORD_FILE:-NOT SET}"
         exec php-fpm
     healthcheck:
       test: ["CMD-SHELL", "php-fpm-healthcheck || true"]