wrongmove: inline VITE_MAPBOX_TOKEN as a build_arg (drop secret indirection)

The previous attempt used a step-level `environment:` block with
`from_secret:`, which the Woodpecker linter rejected on plugin steps
("Should not configure both `environment` and `settings`"). Net effect
was build-and-push-frontend reverted to a commands step and the
docker daemon never started.

The Mapbox `pk.*` token ends up baked into the public bundle anyway —
its security model is domain restrictions in the Mapbox dashboard, not
build-time secrecy. Inlining the value in `build_args` is the simplest
working path and avoids the secret-indirection footgun. The token also
still lives in Vault at `secret/ci/global/wrongmove-mapbox-token` for
the day we adopt a private style URL or replace this with a different
provider.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.woodpecker/frontend.yml

@@ -95,9 +95,6 @@ steps:
       - test-shard-2
       - test-shard-3
       - test-shard-4
-    environment:
-      VITE_MAPBOX_TOKEN:
-        from_secret: wrongmove-mapbox-token
     settings:
       username: viktorbarzin
       password:
@@ -111,8 +108,10 @@ steps:
       tag: ["${CI_PIPELINE_NUMBER}", "latest"]
       cache_from: "viktorbarzin/immoweb:latest"
       cache_to: "type=inline"
-      build_args_from_env:
+      # Mapbox pk.* token — public by design (baked into the bundle, gated
-        - VITE_MAPBOX_TOKEN
+      # by Mapbox dashboard domain restrictions, not build-time secrecy).
+      build_args:
+        - VITE_MAPBOX_TOKEN=pk.eyJ1IjoidmJhcnppbiIsImEiOiJjbWJ4aXhuM3ExNTdnMmtzMGRsaDNnY29lIn0.WLpUHqpbWKzHjKo1_vTWEQ
 
   - name: update-deployment
     image: alpine