wrongmove: write VITE_MAPBOX_TOKEN to .env.production in CI (replaces broken build_args)

The previous attempt passed the Mapbox token via `--build-arg`, but
the docker-buildx plugin's KEY=VALUE list-parser mangled the value
(the rendered command was `--build-arg *=VITE_MAPBOX_TOKEN=********`,
key got lost). Inspecting `viktorbarzin/immoweb:45` confirmed
`pk.eyJ...` was nowhere in the bundle.

Switching to the idiomatic Vite path: a new `prepare-frontend-env`
commands step writes `frontend/.env.production` from the
`wrongmove-mapbox-token` Woodpecker secret. `COPY . .` in the
Dockerfile pulls the file into the build context, and Vite
auto-loads `.env.production` during `npx vite build`.

Net diff:
- `.woodpecker/frontend.yml`: new prepare step, build step now
  depends on it, dropped the build_args line.
- `frontend/Dockerfile`: dropped the ARG/ENV lines (no longer needed,
  also silences `SecretsUsedInArgOrEnv` linter warning).
- `frontend/.gitignore`: ignore `.env.production` / `.env.local` so
  the CI-written file never gets accidentally committed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

frontend/Dockerfile

@@ -24,11 +24,9 @@ RUN npx vitest run
 # Stage 3: Build production bundle
 FROM deps AS builder
 
-# Mapbox public token (pk.*) baked into the bundle by Vite via VITE_*.
-# Domain-restricted in the Mapbox dashboard, so a leaked token is low risk.
-ARG VITE_MAPBOX_TOKEN=""
-ENV VITE_MAPBOX_TOKEN=$VITE_MAPBOX_TOKEN
-
+# VITE_MAPBOX_TOKEN comes in via frontend/.env.production (written by the
+# prepare-frontend-env Woodpecker step). Vite auto-loads .env.production in
+# production mode, so no Dockerfile ARG/ENV is required.
 COPY . .
 
 # Skip tsc type-checking (vitest already validated); Vite transpiles via SWC