From 0d743402acfa034429fcbdf1176791777a233b9c Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 24 Apr 2026 21:08:51 +0200
Subject: [PATCH] ci(deploy): copy public/.htaccess into dist after build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Astro/Vite drops dotfiles from public/ during build, so .htaccess
never makes it into dist/. The deployed Apache origin then has no
header rules to apply, leaving the site without HSTS, X-Frame-Options,
Referrer-Policy, etc. — caught today by the post-deploy smoke test
("HSTS missing").

Copy the file explicitly after build. test -f makes the step fail
loudly if public/.htaccess goes missing, rather than silently
shipping a header-less site.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1484670..f5f4d7f 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -53,6 +53,15 @@ jobs:
       - name: Build site
         run: npm run build
 
+      # Astro/Vite does not copy dotfiles from public/ into dist/, so .htaccess
+      # never reaches the deployed origin and Apache never sees the security
+      # headers it sets. Copy it explicitly. Fail if the source is missing
+      # rather than silently shipping a header-less site.
+      - name: Copy .htaccess into dist
+        run: |
+          test -f public/.htaccess
+          cp public/.htaccess dist/.htaccess
+
       - name: Guard — no TODO markers may ship in built HTML
         run: |
           if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then