wrongmove: write VITE_MAPBOX_TOKEN to .env.production in CI (replaces broken build_args)

The previous attempt passed the Mapbox token via `--build-arg`, but
the docker-buildx plugin's KEY=VALUE list-parser mangled the value
(the rendered command was `--build-arg *=VITE_MAPBOX_TOKEN=********`,
key got lost). Inspecting `viktorbarzin/immoweb:45` confirmed
`pk.eyJ...` was nowhere in the bundle.

Switching to the idiomatic Vite path: a new `prepare-frontend-env`
commands step writes `frontend/.env.production` from the
`wrongmove-mapbox-token` Woodpecker secret. `COPY . .` in the
Dockerfile pulls the file into the build context, and Vite
auto-loads `.env.production` during `npx vite build`.

Net diff:
- `.woodpecker/frontend.yml`: new prepare step, build step now
  depends on it, dropped the build_args line.
- `frontend/Dockerfile`: dropped the ARG/ENV lines (no longer needed,
  also silences `SecretsUsedInArgOrEnv` linter warning).
- `frontend/.gitignore`: ignore `.env.production` / `.env.local` so
  the CI-written file never gets accidentally committed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.woodpecker/frontend.yml

@@ -88,13 +88,29 @@ steps:
     commands:
       - cd frontend && npx vitest run --reporter=verbose --shard=4/4
 
-  - name: build-and-push-frontend
+  # Writes frontend/.env.production from the Woodpecker secret. Vite auto-loads
-    image: woodpeckerci/plugin-docker-buildx
+  # this file during `npx vite build` (the plugin step below picks it up via
+  # the build context). Cleaner than --build-arg because docker-buildx's
+  # build_args list-parser mangled the KEY=VALUE form when the value contained
+  # `=` separators (see pipeline 2207 — bundle came out without the token).
+  - name: prepare-frontend-env
+    image: alpine
     depends_on:
       - test-shard-1
       - test-shard-2
       - test-shard-3
       - test-shard-4
+    environment:
+      MAPBOX_TOKEN:
+        from_secret: wrongmove-mapbox-token
+    commands:
+      - 'printf "VITE_MAPBOX_TOKEN=%s\n" "$MAPBOX_TOKEN" > frontend/.env.production'
+      - 'wc -c frontend/.env.production'
+
+  - name: build-and-push-frontend
+    image: woodpeckerci/plugin-docker-buildx
+    depends_on:
+      - prepare-frontend-env
     settings:
       username: viktorbarzin
       password:
@@ -108,10 +124,6 @@ steps:
       tag: ["${CI_PIPELINE_NUMBER}", "latest"]
       cache_from: "viktorbarzin/immoweb:latest"
       cache_to: "type=inline"
-      # Mapbox pk.* token — public by design (baked into the bundle, gated
-      # by Mapbox dashboard domain restrictions, not build-time secrecy).
-      build_args:
-        - VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ
 
   - name: update-deployment
     image: alpine

frontend/.gitignore

@@ -12,6 +12,10 @@ dist
 dist-ssr
 *.local
 
+# Vite env files written by CI (Woodpecker prepare-frontend-env step)
+.env.production
+.env.local
+
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json

frontend/Dockerfile

@@ -24,11 +24,9 @@ RUN npx vitest run
 # Stage 3: Build production bundle
 FROM deps AS builder
 
-# Mapbox public token (pk.*) baked into the bundle by Vite via VITE_*.
+# VITE_MAPBOX_TOKEN comes in via frontend/.env.production (written by the
-# Domain-restricted in the Mapbox dashboard, so a leaked token is low risk.
+# prepare-frontend-env Woodpecker step). Vite auto-loads .env.production in
-ARG VITE_MAPBOX_TOKEN=""
+# production mode, so no Dockerfile ARG/ENV is required.
-ENV VITE_MAPBOX_TOKEN=$VITE_MAPBOX_TOKEN
-
 COPY . .
 
 # Skip tsc type-checking (vitest already validated); Vite transpiles via SWC