Concept
A public demo should prove operational readiness without teaching visitors how to mutate production-like data. The course ships reads, docs, health, logs, and metrics; write authorization remains a test-backed contract.
Task
- Add a GitHub Actions workflow that runs site, Java, Postgres, and Oracle policy gates.
- Build a runtime-only Docker image for linux/arm64.
- Add a `demo` profile that categorically blocks API writes.
- Document Caddy, systemd, environment injection, and zero-secrets deployment.
- Tag the release only after the live demo is proven.
Run
npm run verify:m7docker buildx build --platform linux/arm64 -t ghcr.io/imdmp-studio/javatutorial-palabas-api:v1.0.0 palabas-apiSPRING_PROFILES_ACTIVE=postgres,demo ./gradlew test --tests "*DemoReadOnlyProfileTest"Expected Result
- The repo contains a complete ARM image/deploy path.
- The demo profile test rejects an ADMIN write with 403.
Common Traps
- Using fake public auth to make writes appear safe.
- Exposing all actuator endpoints because Prometheus needs one endpoint.
- Committing host secrets or issuer credentials.
Hint Ladder
Hint 1
Read-only is a deployment profile, not a change to the core authorization story.
Hint 2
Use environment variables for everything host-specific.
Hint 3
The live URL proof is external evidence, not a local build result.
Solution
See deployment-demo.md, Dockerfile, and DemoReadOnlyProfileTest.java.