Merge pull request 'fix(deploy): don't inject CI runner token into ppms' (#43) from fix/deploy-no-update-env into master

Reviewed-on: #43
2026-06-20 18:29:07 +00:00 · 2026-06-20 18:29:07 +00:00 · 5bb3549142
commit 5bb3549142
parent 1feb43186d 2d6681014d
1 changed files with 7 additions and 1 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -31,7 +31,13 @@ jobs:
          pnpm build                 # includes prisma generate
          pnpm db:migrate:deploy

-          pm2 restart ppms --update-env
+          # NOT --update-env: this job runs inside the Forgejo Actions runner, whose
+          # environment includes an ephemeral FORGEJO_TOKEN (the per-job token, revoked
+          # when the job ends). --update-env would inject it into ppms, where it shadows
+          # the real PAT from .env (Next.js does not override an already-set process.env
+          # var) and breaks the Report Issue button once the job token expires. A plain
+          # restart re-execs ppms from the pm2 daemon's clean env, so .env wins.
+          pm2 restart ppms
          echo "=== Deployed $TAG ==="

      - name: Verify portal responds