diff --git a/.woodpecker/frontend.yml b/.woodpecker/frontend.yml
index a113101..e50ca55 100644
--- a/.woodpecker/frontend.yml
+++ b/.woodpecker/frontend.yml
@@ -88,13 +88,29 @@ steps:
     commands:
       - cd frontend && npx vitest run --reporter=verbose --shard=4/4
 
-  - name: build-and-push-frontend
-    image: woodpeckerci/plugin-docker-buildx
+  # Writes frontend/.env.production from the Woodpecker secret. Vite auto-loads
+  # this file during `npx vite build` (the plugin step below picks it up via
+  # the build context). Cleaner than --build-arg because docker-buildx's
+  # build_args list-parser mangled the KEY=VALUE form when the value contained
+  # `=` separators (see pipeline 2207 — bundle came out without the token).
+  - name: prepare-frontend-env
+    image: alpine
     depends_on:
       - test-shard-1
       - test-shard-2
       - test-shard-3
       - test-shard-4
+    environment:
+      MAPBOX_TOKEN:
+        from_secret: wrongmove-mapbox-token
+    commands:
+      - 'printf "VITE_MAPBOX_TOKEN=%s\n" "$MAPBOX_TOKEN" > frontend/.env.production'
+      - 'wc -c frontend/.env.production'
+
+  - name: build-and-push-frontend
+    image: woodpeckerci/plugin-docker-buildx
+    depends_on:
+      - prepare-frontend-env
     settings:
       username: viktorbarzin
       password:
@@ -108,10 +124,6 @@ steps:
       tag: ["${CI_PIPELINE_NUMBER}", "latest"]
       cache_from: "viktorbarzin/immoweb:latest"
       cache_to: "type=inline"
-      # Mapbox pk.* token — public by design (baked into the bundle, gated
-      # by Mapbox dashboard domain restrictions, not build-time secrecy).
-      build_args:
-        - VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ
 
   - name: update-deployment
     image: alpine
diff --git a/frontend/.gitignore b/frontend/.gitignore
index a547bf3..d02782e 100644
--- a/frontend/.gitignore
+++ b/frontend/.gitignore
@@ -12,6 +12,10 @@ dist
 dist-ssr
 *.local
 
+# Vite env files written by CI (Woodpecker prepare-frontend-env step)
+.env.production
+.env.local
+
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 9b48e63..7a2818f 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -24,11 +24,9 @@ RUN npx vitest run
 # Stage 3: Build production bundle
 FROM deps AS builder
 
-# Mapbox public token (pk.*) baked into the bundle by Vite via VITE_*.
-# Domain-restricted in the Mapbox dashboard, so a leaked token is low risk.
-ARG VITE_MAPBOX_TOKEN=""
-ENV VITE_MAPBOX_TOKEN=$VITE_MAPBOX_TOKEN
-
+# VITE_MAPBOX_TOKEN comes in via frontend/.env.production (written by the
+# prepare-frontend-env Woodpecker step). Vite auto-loads .env.production in
+# production mode, so no Dockerfile ARG/ENV is required.
 COPY . .
 
 # Skip tsc type-checking (vitest already validated); Vite transpiles via SWC