From f800d5545176dbbc3c02d4d9eec648bbfe3bc165 Mon Sep 17 00:00:00 2001 From: Chad Curtis Date: Mon, 1 Jun 2026 14:15:38 -0500 Subject: [PATCH] Stop clobbering VITE_* CI vars with literal placeholders The deploy-web job re-declared project-level CI/CD variables as `KEY: $KEY`. When a source variable is out of scope for the job (e.g. a Protected variable on an unprotected ref), GitLab leaves the reference unexpanded, so the literal string "$VITE_TRANSLATE_WORKER_URL" got inlined into the build and surfaced in the UI. Project-level variables are already in the job environment, so the re-declaration is removed entirely. --- .gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6cee1e8d..c2b195a8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -37,12 +37,12 @@ deploy-web: - if: $CI_COMMIT_TAG when: never - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $DEPLOY_SSH_KEY && $DEPLOY_TARGET - variables: - # Vite inlines VITE_* env vars at build time. Sourced from GitLab CI/CD - # variables so values can be rotated without a code change. - VITE_TRANSLATE_WORKER_URL: $VITE_TRANSLATE_WORKER_URL - VITE_PLAUSIBLE_DOMAIN: $VITE_PLAUSIBLE_DOMAIN - VITE_PLAUSIBLE_ENDPOINT: $VITE_PLAUSIBLE_ENDPOINT + # Vite inlines VITE_* env vars at build time. These are sourced directly from + # project-level CI/CD variables, which are already present in the job + # environment — do NOT re-declare them here as `KEY: $KEY`. That self-reference + # overwrites the real value with the literal string "$KEY" whenever the source + # variable is out of scope (e.g. a Protected variable on an unprotected ref), + # which is how "$VITE_TRANSLATE_WORKER_URL" leaked into the built app. script: # Build the web app - npm ci