cameleer/cameleer-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CI build: read PUBLIC_* values from secrets context, broaden TODO guard
Some checks failed
ci / build-test (push) Failing after 46s
Details

Browse Source 
- Switch ci.yml + deploy.yml env bindings from ${{ vars.* }} to
  ${{ secrets.* }}. Gitea lets you put non-sensitive Actions values in
  either tab, and the secrets tab was used in practice — workflow was
  reading the wrong context and getting empty strings.
- Broaden the "no TODO markers ship" guard to accept both TODO: and
  legacy TBD: prefixes, matching the imprint/privacy page markers that
  were recently renamed.
- Document the secret-vs-variable choice in OPERATOR-CHECKLIST so the
  next operator doesn't get tripped up by the same thing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-24 18:04:16 +02:00
parent 9a4644bada
commit 93131461b8
3 changed files with 20 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.gitea/workflows/ci.yml
View File

@@ -23,9 +23,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 20 timeout-minutes: 20
env: env:
PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }} PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }}
PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }} PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }}
PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }} PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -79,10 +79,10 @@ jobs:
- name: Build site - name: Build site
run: npm run build run: npm run build
- name: Guard — no TBD markers may ship in built HTML - name: Guard — no TODO markers may ship in built HTML
run: | run: |
if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
echo "Built output contains unfilled <TBD:...> markers." echo "Built output contains unfilled <TODO:...> (or legacy <TBD:...>) markers."
echo "Fill in imprint.astro and privacy.astro operator fields before merging to main." echo "Fill in imprint.astro and privacy.astro operator fields before merging to main."
exit 1 exit 1
fi fi

12
.gitea/workflows/deploy.yml
View File

@@ -32,9 +32,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 15 timeout-minutes: 15
env: env:
PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }} PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }}
PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }} PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }}
PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }} PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -53,10 +53,10 @@ jobs:
- name: Build site - name: Build site
run: npm run build run: npm run build
- name: Guard — no TBD markers may ship in built HTML - name: Guard — no TODO markers may ship in built HTML
run: | run: |
if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
echo "Built output contains unfilled <TBD:...> markers." echo "Built output contains unfilled <TODO:...> (or legacy <TBD:...>) markers."
echo "Fill in imprint.astro and privacy.astro operator fields before merging to main." echo "Fill in imprint.astro and privacy.astro operator fields before merging to main."
exit 1 exit 1
fi fi

12
OPERATOR-CHECKLIST.md
View File

@@ -70,11 +70,15 @@ Add these under Repository settings → Actions → Secrets (or variables):
| `SFTP_PATH` | secret | Absolute path to document root (e.g., `/usr/home/cameleer/public_html/www.cameleer.io`) | | `SFTP_PATH` | secret | Absolute path to document root (e.g., `/usr/home/cameleer/public_html/www.cameleer.io`) |
| `SFTP_KEY` | secret | Contents of `~/.ssh/cameleer-website-deploy` (private key, PEM) | | `SFTP_KEY` | secret | Contents of `~/.ssh/cameleer-website-deploy` (private key, PEM) |
| `SFTP_KNOWN_HOSTS` | secret | Contents of `hetzner-known-hosts.txt` (captured via `ssh-keyscan`) | | `SFTP_KNOWN_HOSTS` | secret | Contents of `hetzner-known-hosts.txt` (captured via `ssh-keyscan`) |
| `PUBLIC_AUTH_SIGNIN_URL` | variable | `https://auth.cameleer.io/sign-in` | | `PUBLIC_AUTH_SIGNIN_URL` | secret | `https://auth.cameleer.io/sign-in` |
| `PUBLIC_AUTH_SIGNUP_URL` | variable | `https://auth.cameleer.io/sign-in?first_screen=register` | | `PUBLIC_AUTH_SIGNUP_URL` | secret | `https://auth.cameleer.io/sign-in?first_screen=register` |
| `PUBLIC_SALES_EMAIL` | variable | `sales@cameleer.io` (or whatever sales alias you set up) | | `PUBLIC_SALES_EMAIL` | secret | `sales@cameleer.io` (or whatever sales alias you set up) |
## 4. Content TBD — before go-live These three are not actually secret (they end up in the built HTML), but Gitea's
Actions UI puts them in the **Secrets** tab alongside the SFTP credentials. The
workflows read them via the `${{ secrets.* }}` context.
## 4. Content TODO — before go-live
- [ ] Fill in `src/pages/imprint.astro` `operator` object with real legal details. - [ ] Fill in `src/pages/imprint.astro` `operator` object with real legal details.
- [ ] Fill in `operatorContact` in `src/pages/privacy.astro`. - [ ] Fill in `operatorContact` in `src/pages/privacy.astro`.