From 93131461b82dd7adfd6b7fa9254f2c7dfa36e8fd Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Fri, 24 Apr 2026 18:04:16 +0200 Subject: [PATCH 1/2] Fix CI build: read PUBLIC_* values from secrets context, broaden TODO guard MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Switch ci.yml + deploy.yml env bindings from ${{ vars.* }} to ${{ secrets.* }}. Gitea lets you put non-sensitive Actions values in either tab, and the secrets tab was used in practice — workflow was reading the wrong context and getting empty strings. - Broaden the "no TODO markers ship" guard to accept both TODO: and legacy TBD: prefixes, matching the imprint/privacy page markers that were recently renamed. - Document the secret-vs-variable choice in OPERATOR-CHECKLIST so the next operator doesn't get tripped up by the same thing. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/ci.yml | 12 ++++++------ .gitea/workflows/deploy.yml | 12 ++++++------ OPERATOR-CHECKLIST.md | 12 ++++++++---- 3 files changed, 20 insertions(+), 16 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index b48ccee..6f8cd09 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -23,9 +23,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 env: - PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }} - PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }} - PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }} + PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }} + PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }} + PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }} steps: - uses: actions/checkout@v4 @@ -79,10 +79,10 @@ jobs: - name: Build site run: npm run build - - name: Guard — no TBD markers may ship in built HTML + - name: Guard — no TODO markers may ship in built HTML run: | - if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then - echo "Built output contains unfilled markers." + if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then + echo "Built output contains unfilled (or legacy ) markers." echo "Fill in imprint.astro and privacy.astro operator fields before merging to main." exit 1 fi diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index d51136b..8823710 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -32,9 +32,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 env: - PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }} - PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }} - PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }} + PUBLIC_AUTH_SIGNIN_URL: ${{ secrets.PUBLIC_AUTH_SIGNIN_URL }} + PUBLIC_AUTH_SIGNUP_URL: ${{ secrets.PUBLIC_AUTH_SIGNUP_URL }} + PUBLIC_SALES_EMAIL: ${{ secrets.PUBLIC_SALES_EMAIL }} steps: - uses: actions/checkout@v4 @@ -53,10 +53,10 @@ jobs: - name: Build site run: npm run build - - name: Guard — no TBD markers may ship in built HTML + - name: Guard — no TODO markers may ship in built HTML run: | - if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then - echo "Built output contains unfilled markers." + if grep -rlE '(TODO|TBD):' dist 2>/dev/null | grep -E '\.(html|svg)$'; then + echo "Built output contains unfilled (or legacy ) markers." echo "Fill in imprint.astro and privacy.astro operator fields before merging to main." exit 1 fi diff --git a/OPERATOR-CHECKLIST.md b/OPERATOR-CHECKLIST.md index 146d352..dccd217 100644 --- a/OPERATOR-CHECKLIST.md +++ b/OPERATOR-CHECKLIST.md @@ -70,11 +70,15 @@ Add these under Repository settings → Actions → Secrets (or variables): | `SFTP_PATH` | secret | Absolute path to document root (e.g., `/usr/home/cameleer/public_html/www.cameleer.io`) | | `SFTP_KEY` | secret | Contents of `~/.ssh/cameleer-website-deploy` (private key, PEM) | | `SFTP_KNOWN_HOSTS` | secret | Contents of `hetzner-known-hosts.txt` (captured via `ssh-keyscan`) | -| `PUBLIC_AUTH_SIGNIN_URL` | variable | `https://auth.cameleer.io/sign-in` | -| `PUBLIC_AUTH_SIGNUP_URL` | variable | `https://auth.cameleer.io/sign-in?first_screen=register` | -| `PUBLIC_SALES_EMAIL` | variable | `sales@cameleer.io` (or whatever sales alias you set up) | +| `PUBLIC_AUTH_SIGNIN_URL` | secret | `https://auth.cameleer.io/sign-in` | +| `PUBLIC_AUTH_SIGNUP_URL` | secret | `https://auth.cameleer.io/sign-in?first_screen=register` | +| `PUBLIC_SALES_EMAIL` | secret | `sales@cameleer.io` (or whatever sales alias you set up) | -## 4. Content TBD — before go-live +These three are not actually secret (they end up in the built HTML), but Gitea's +Actions UI puts them in the **Secrets** tab alongside the SFTP credentials. The +workflows read them via the `${{ secrets.* }}` context. + +## 4. Content TODO — before go-live - [ ] Fill in `src/pages/imprint.astro` `operator` object with real legal details. - [ ] Fill in `operatorContact` in `src/pages/privacy.astro`. -- 2.49.1 From 295e2bcfffc7646939474b71694afd6d7415e248 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Fri, 24 Apr 2026 18:06:32 +0200 Subject: [PATCH 2/2] replaced TBD with TODO --- src/pages/imprint.astro | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/imprint.astro b/src/pages/imprint.astro index d6d1265..ef4ca72 100644 --- a/src/pages/imprint.astro +++ b/src/pages/imprint.astro @@ -4,7 +4,7 @@ import SiteHeader from '../components/SiteHeader.astro'; import SiteFooter from '../components/SiteFooter.astro'; // Imprint (Impressum) per TMG §5 / DDG §5. -// Values prefixed "', -- 2.49.1