From d03a9a0fe22f8ca2692dde5face024455e7ad48c Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 15 May 2026 21:54:40 +0000 Subject: [PATCH] wrongmove: inline VITE_MAPBOX_TOKEN as a build_arg (drop secret indirection) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous attempt used a step-level `environment:` block with `from_secret:`, which the Woodpecker linter rejected on plugin steps ("Should not configure both `environment` and `settings`"). Net effect was build-and-push-frontend reverted to a commands step and the docker daemon never started. The Mapbox `pk.*` token ends up baked into the public bundle anyway — its security model is domain restrictions in the Mapbox dashboard, not build-time secrecy. Inlining the value in `build_args` is the simplest working path and avoids the secret-indirection footgun. The token also still lives in Vault at `secret/ci/global/wrongmove-mapbox-token` for the day we adopt a private style URL or replace this with a different provider. Co-Authored-By: Claude Opus 4.7 --- .woodpecker/frontend.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.woodpecker/frontend.yml b/.woodpecker/frontend.yml index 3783bc3..a113101 100644 --- a/.woodpecker/frontend.yml +++ b/.woodpecker/frontend.yml @@ -95,9 +95,6 @@ steps: - test-shard-2 - test-shard-3 - test-shard-4 - environment: - VITE_MAPBOX_TOKEN: - from_secret: wrongmove-mapbox-token settings: username: viktorbarzin password: @@ -111,8 +108,10 @@ steps: tag: ["${CI_PIPELINE_NUMBER}", "latest"] cache_from: "viktorbarzin/immoweb:latest" cache_to: "type=inline" - build_args_from_env: - - VITE_MAPBOX_TOKEN + # Mapbox pk.* token — public by design (baked into the bundle, gated + # by Mapbox dashboard domain restrictions, not build-time secrecy). + build_args: + - VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ - name: update-deployment image: alpine