From 25458fd2a2e4065abcf9cae334d734fb7b92e18f Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 15 May 2026 21:42:40 +0000
Subject: [PATCH] wrongmove: bake VITE_MAPBOX_TOKEN into the frontend build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a build-arg path so the Mapbox public token is injected at
`vite build` time instead of being hardcoded in the bundle:

- `frontend/Dockerfile` declares `ARG VITE_MAPBOX_TOKEN` in the
  builder stage and re-exports it via `ENV` so Vite picks it up.
- `.woodpecker/frontend.yml` maps the global `wrongmove-mapbox-token`
  Woodpecker secret into a step-level `VITE_MAPBOX_TOKEN` env var,
  then forwards it via `build_args_from_env`.

Token is a domain-restricted `pk.*` public token (Mapbox), so bundle
exposure is the intended threat model. Vault-stored at
`secret/ci/global/wrongmove-mapbox-token`; synced to Woodpecker by
the existing vault-woodpecker-sync CronJob every 6h.

Replaces the post-Fix-4 "Map unavailable — set VITE_MAPBOX_TOKEN"
banner with a working basemap.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .woodpecker/frontend.yml | 5 +++++
 frontend/Dockerfile      | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/.woodpecker/frontend.yml b/.woodpecker/frontend.yml
index 7f224fe..3783bc3 100644
--- a/.woodpecker/frontend.yml
+++ b/.woodpecker/frontend.yml
@@ -95,6 +95,9 @@ steps:
       - test-shard-2
       - test-shard-3
       - test-shard-4
+    environment:
+      VITE_MAPBOX_TOKEN:
+        from_secret: wrongmove-mapbox-token
     settings:
       username: viktorbarzin
       password:
@@ -108,6 +111,8 @@ steps:
       tag: ["${CI_PIPELINE_NUMBER}", "latest"]
       cache_from: "viktorbarzin/immoweb:latest"
       cache_to: "type=inline"
+      build_args_from_env:
+        - VITE_MAPBOX_TOKEN
 
   - name: update-deployment
     image: alpine
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index f848505..9b48e63 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -24,6 +24,11 @@ RUN npx vitest run
 # Stage 3: Build production bundle
 FROM deps AS builder
 
+# Mapbox public token (pk.*) baked into the bundle by Vite via VITE_*.
+# Domain-restricted in the Mapbox dashboard, so a leaked token is low risk.
+ARG VITE_MAPBOX_TOKEN=""
+ENV VITE_MAPBOX_TOKEN=$VITE_MAPBOX_TOKEN
+
 COPY . .
 
 # Skip tsc type-checking (vitest already validated); Vite transpiles via SWC