fix: enhance git sync process with sudo to handle permission issues a…

[xukki241]

…nd preserve local changes

[Copilot]

Pull request overview

Updates the CD deploy workflow’s VM-side git sync to consistently use sudo git to avoid permission problems and to try to preserve VM-local edits during deploys.

Changes:

• Switches git sync logic to always run git commands under sudo.
• Adds an automatic stash step for local changes before syncing.
• Replaces pull --ff-only with fetch + reset --hard origin/main to force the working tree to match origin/main.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The "local changes" detection misses repos that only have untracked files (both git diff --quiet and git diff --cached --quiet return clean in that case), so the subsequent reset --hard will run without stashing. Consider using git status --porcelain (or additionally checking git ls-files --others --exclude-standard) to decide when to stash.

Suggested change

	if ! sudo git -C "$DEPLOY_PATH" diff --quiet || ! sudo git -C "$DEPLOY_PATH" diff --cached --quiet; then
	if [ -n "$(sudo git -C "$DEPLOY_PATH" status --porcelain)" ]; then

[Copilot]

sudo git ... stash push ... || true will silently continue even if stashing fails (e.g., due to an in-progress merge/rebase or other repo error), and then reset --hard can permanently discard local VM edits. If the intent is to preserve local changes, handle stash failure explicitly (abort the deploy, or skip the hard reset when the stash command fails).

Suggested change

	sudo git -C "$DEPLOY_PATH" stash push -u -m "$STASH_NAME" || true
	fi
	sudo git -C "$DEPLOY_PATH" fetch origin
	sudo git -C "$DEPLOY_PATH" checkout main
	sudo git -C "$DEPLOY_PATH" reset --hard origin/main
	if ! sudo git -C "$DEPLOY_PATH" stash push -u -m "$STASH_NAME"; then
	echo "Failed to stash local changes. Skipping git reset to avoid discarding un-stashed work."
	SKIP_GIT_RESET=1
	fi
	fi
	if [ "${SKIP_GIT_RESET:-0}" -ne 1 ]; then
	sudo git -C "$DEPLOY_PATH" fetch origin
	sudo git -C "$DEPLOY_PATH" checkout main
	sudo git -C "$DEPLOY_PATH" reset --hard origin/main
	else
	echo "Skipping git fetch/checkout/reset because stashing local changes failed."
	fi

[Copilot]

checkout main + reset --hard origin/main will discard any local commits on main (stash only captures working tree/index changes). This conflicts with the comment about preserving local VM changes; consider detecting if the local branch is ahead/diverged and creating a backup ref/branch before resetting, or failing the deploy so someone can inspect the divergence.

Suggested change

	sudo git -C "$DEPLOY_PATH" checkout main
	sudo git -C "$DEPLOY_PATH" checkout main
	# Before hard-resetting main, detect if there are local commits not in origin/main.
	# If so, create a backup branch so those commits remain reachable.
	AHEAD_BEHIND_OUTPUT="$(sudo git -C "$DEPLOY_PATH" rev-list --left-right --count HEAD...origin/main || echo "")"
	if [ -n "$AHEAD_BEHIND_OUTPUT" ]; then
	AHEAD_COUNT="$(printf '%s\n' "$AHEAD_BEHIND_OUTPUT" | awk '{print $1}')"
	if [ "$AHEAD_COUNT" -ne 0 ] 2>/dev/null; then
	BACKUP_BRANCH="backup/main-$(date +%Y%m%d%H%M%S)"
	echo "Local main is ahead of origin/main; creating backup branch: $BACKUP_BRANCH"
	sudo git -C "$DEPLOY_PATH" branch "$BACKUP_BRANCH" HEAD || echo "Warning: failed to create backup branch $BACKUP_BRANCH"
	fi
	fi