ci(convex): definir envs via 'convex env set' lendo /srv/apps/sistema/.env antes do deploy

.github/workflows/ci-cd-web-desktop.yml

@@ -257,6 +257,32 @@ jobs:
             --exclude '.pnpm-store/**' \
             ./ "$EFFECTIVE_APP_DIR"/
 
+      - name: Set Convex env vars (self-hosted)
+        if: ${{ env.CONVEX_SELF_HOSTED_URL != '' && env.CONVEX_SELF_HOSTED_ADMIN_KEY != '' }}
+        env:
+          CONVEX_SELF_HOSTED_URL: ${{ secrets.CONVEX_SELF_HOSTED_URL }}
+          CONVEX_SELF_HOSTED_ADMIN_KEY: ${{ secrets.CONVEX_SELF_HOSTED_ADMIN_KEY }}
+        run: |
+          set -e
+          # Load production values from /srv (do not copy .env to workspace)
+          if [ -f /srv/apps/sistema/.env ]; then
+            set -o allexport
+            . /srv/apps/sistema/.env
+            set +o allexport
+          fi
+          docker run --rm -i \
+            -v "$EFFECTIVE_APP_DIR":/app \
+            -w /app \
+            -e CONVEX_SELF_HOSTED_URL \
+            -e CONVEX_SELF_HOSTED_ADMIN_KEY \
+            -e MACHINE_PROVISIONING_SECRET="${MACHINE_PROVISIONING_SECRET:-}" \
+            -e MACHINE_TOKEN_TTL_MS="${MACHINE_TOKEN_TTL_MS:-}" \
+            -e FLEET_SYNC_SECRET="${FLEET_SYNC_SECRET:-}" \
+            node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; pnpm install --frozen-lockfile --prod=false; \
+              if [ -n \"\${MACHINE_PROVISIONING_SECRET:-}\" ]; then pnpm exec convex env set MACHINE_PROVISIONING_SECRET \"\${MACHINE_PROVISIONING_SECRET}\" -y; fi; \
+              if [ -n \"\${MACHINE_TOKEN_TTL_MS:-}\" ]; then pnpm exec convex env set MACHINE_TOKEN_TTL_MS \"\${MACHINE_TOKEN_TTL_MS}\" -y; fi; \
+              if [ -n \"\${FLEET_SYNC_SECRET:-}\" ]; then pnpm exec convex env set FLEET_SYNC_SECRET \"\${FLEET_SYNC_SECRET}\" -y; fi;"
+
       - name: Ensure .env is not present for Convex deploy
         run: |
           cd "$EFFECTIVE_APP_DIR"