From 2d6681014d7baad029bc108201f654b0ce1409b3 Mon Sep 17 00:00:00 2001 From: Hardik Date: Sat, 20 Jun 2026 23:57:01 +0530 Subject: [PATCH] fix(deploy): don't inject the CI runner token into ppms (drop --update-env) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The deploy job runs inside the Forgejo Actions runner, whose env includes an ephemeral FORGEJO_TOKEN (per-job token, revoked when the job ends). 'pm2 restart --update-env' injected it into ppms, where it shadowed the real PAT in .env (Next.js won't override an already-set process.env var) — so the Report Issue button 401'd once the job token expired. Plain restart keeps the daemon's clean env. Co-Authored-By: Claude Opus 4.8 --- .forgejo/workflows/deploy.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml index 1241ab7..40b7e2a 100644 --- a/.forgejo/workflows/deploy.yml +++ b/.forgejo/workflows/deploy.yml @@ -31,7 +31,13 @@ jobs: pnpm build # includes prisma generate pnpm db:migrate:deploy - pm2 restart ppms --update-env + # NOT --update-env: this job runs inside the Forgejo Actions runner, whose + # environment includes an ephemeral FORGEJO_TOKEN (the per-job token, revoked + # when the job ends). --update-env would inject it into ppms, where it shadows + # the real PAT from .env (Next.js does not override an already-set process.env + # var) and breaks the Report Issue button once the job token expires. A plain + # restart re-execs ppms from the pm2 daemon's clean env, so .env wins. + pm2 restart ppms echo "=== Deployed $TAG ===" - name: Verify portal responds -- 2.45.3