Module 7 / Lesson 7.1

Ship a Read-Only Demo Without Fake Public Writes

Create the CI, image, profile, and runbook for an ARM-hosted read-only Palabas API demo.

Concept

A public demo should prove operational readiness without teaching visitors how to mutate production-like data. The course ships reads, docs, health, logs, and metrics; write authorization remains a test-backed contract.

Task

  1. Add a GitHub Actions workflow that runs site, Java, Postgres, and Oracle policy gates.
  2. Build a runtime-only Docker image for linux/arm64.
  3. Add a `demo` profile that categorically blocks API writes.
  4. Document Caddy, systemd, environment injection, and zero-secrets deployment.
  5. Tag the release only after the live demo is proven.

Run

npm run verify:m7
docker buildx build --platform linux/arm64 -t ghcr.io/imdmp-studio/javatutorial-palabas-api:v1.0.0 palabas-api
SPRING_PROFILES_ACTIVE=postgres,demo ./gradlew test --tests "*DemoReadOnlyProfileTest"

Expected Result

  • The repo contains a complete ARM image/deploy path.
  • The demo profile test rejects an ADMIN write with 403.

Common Traps

  • Using fake public auth to make writes appear safe.
  • Exposing all actuator endpoints because Prometheus needs one endpoint.
  • Committing host secrets or issuer credentials.

Hint Ladder

Hint 1

Read-only is a deployment profile, not a change to the core authorization story.

Hint 2

Use environment variables for everything host-specific.

Hint 3

The live URL proof is external evidence, not a local build result.

Solution

See deployment-demo.md, Dockerfile, and DemoReadOnlyProfileTest.java.