wrongmove: inline VITE_MAPBOX_TOKEN as a build_arg (drop secret indirection)
The previous attempt used a step-level `environment:` block with
`from_secret:`, which the Woodpecker linter rejected on plugin steps
("Should not configure both `environment` and `settings`"). Net effect
was build-and-push-frontend reverted to a commands step and the
docker daemon never started.
The Mapbox `pk.*` token ends up baked into the public bundle anyway —
its security model is domain restrictions in the Mapbox dashboard, not
build-time secrecy. Inlining the value in `build_args` is the simplest
working path and avoids the secret-indirection footgun. The token also
still lives in Vault at `secret/ci/global/wrongmove-mapbox-token` for
the day we adopt a private style URL or replace this with a different
provider.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
25458fd2a2
commit
d03a9a0fe2
1 changed files with 4 additions and 5 deletions
|
|
@ -95,9 +95,6 @@ steps:
|
|||
- test-shard-2
|
||||
- test-shard-3
|
||||
- test-shard-4
|
||||
environment:
|
||||
VITE_MAPBOX_TOKEN:
|
||||
from_secret: wrongmove-mapbox-token
|
||||
settings:
|
||||
username: viktorbarzin
|
||||
password:
|
||||
|
|
@ -111,8 +108,10 @@ steps:
|
|||
tag: ["${CI_PIPELINE_NUMBER}", "latest"]
|
||||
cache_from: "viktorbarzin/immoweb:latest"
|
||||
cache_to: "type=inline"
|
||||
build_args_from_env:
|
||||
- VITE_MAPBOX_TOKEN
|
||||
# Mapbox pk.* token — public by design (baked into the bundle, gated
|
||||
# by Mapbox dashboard domain restrictions, not build-time secrecy).
|
||||
build_args:
|
||||
- VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ
|
||||
|
||||
- name: update-deployment
|
||||
image: alpine
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue