Stop clobbering VITE_* CI vars with literal placeholders

The deploy-web job re-declared project-level CI/CD variables as `KEY: $KEY`.
When a source variable is out of scope for the job (e.g. a Protected variable
on an unprotected ref), GitLab leaves the reference unexpanded, so the literal
string "$VITE_TRANSLATE_WORKER_URL" got inlined into the build and surfaced in
the UI. Project-level variables are already in the job environment, so the
re-declaration is removed entirely.
This commit is contained in:
Chad Curtis
2026-06-01 14:15:38 -05:00
parent ee8414f694
commit f800d55451
+6 -6
View File
@@ -37,12 +37,12 @@ deploy-web:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $DEPLOY_SSH_KEY && $DEPLOY_TARGET
variables:
# Vite inlines VITE_* env vars at build time. Sourced from GitLab CI/CD
# variables so values can be rotated without a code change.
VITE_TRANSLATE_WORKER_URL: $VITE_TRANSLATE_WORKER_URL
VITE_PLAUSIBLE_DOMAIN: $VITE_PLAUSIBLE_DOMAIN
VITE_PLAUSIBLE_ENDPOINT: $VITE_PLAUSIBLE_ENDPOINT
# Vite inlines VITE_* env vars at build time. These are sourced directly from
# project-level CI/CD variables, which are already present in the job
# environment — do NOT re-declare them here as `KEY: $KEY`. That self-reference
# overwrites the real value with the literal string "$KEY" whenever the source
# variable is out of scope (e.g. a Protected variable on an unprotected ref),
# which is how "$VITE_TRANSLATE_WORKER_URL" leaked into the built app.
script:
# Build the web app
- npm ci