Fix CI build: read PUBLIC_* values from secrets context, broaden TODO guard

- Switch ci.yml + deploy.yml env bindings from ${{ vars.* }} to ${{ secrets.* }}. Gitea lets you put non-sensitive Actions values in either tab, and the secrets tab was used in practice — workflow was reading the wrong context and getting empty strings. - Broaden the "no TODO markers ship" guard to accept both TODO: and legacy TBD: prefixes, matching the imprint/privacy page markers that were recently renamed. - Document the secret-vs-variable choice in OPERATOR-CHECKLIST so the next operator doesn't get tripped up by the same thing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 18:04:16 +02:00
parent 9a4644bada
commit 93131461b8
3 changed files with 20 additions and 16 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -23,9 +23,9 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 20
    env:
-      PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
-      PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
-      PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }}
+      PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }}
+      PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }}
+      PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }}

    steps:
      - uses: actions/checkout@v4
@@ -79,10 +79,10 @@ jobs:
      - name: Build site
        run: npm run build

-      - name: Guard — no TBD markers may ship in built HTML
+      - name: Guard — no TODO markers may ship in built HTML
        run: |
-          if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
-            echo "Built output contains unfilled <TBD:...> markers."
+          if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
+            echo "Built output contains unfilled <TODO:...> (or legacy <TBD:...>) markers."
            echo "Fill in imprint.astro and privacy.astro operator fields before merging to main."
            exit 1
          fi
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -32,9 +32,9 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    env:
-      PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
-      PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
-      PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }}
+      PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }}
+      PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }}
+      PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }}

    steps:
      - uses: actions/checkout@v4
@@ -53,10 +53,10 @@ jobs:
      - name: Build site
        run: npm run build

-      - name: Guard — no TBD markers may ship in built HTML
+      - name: Guard — no TODO markers may ship in built HTML
        run: |
-          if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
-            echo "Built output contains unfilled <TBD:...> markers."
+          if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
+            echo "Built output contains unfilled <TODO:...> (or legacy <TBD:...>) markers."
            echo "Fill in imprint.astro and privacy.astro operator fields before merging to main."
            exit 1
          fi