2 files changed, 9 insertions, 2 deletions

diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
index 76299c9..047a318 100644
--- a/.github/workflows/docker_build.yml
+++ b/.github/workflows/docker_build.yml
@@ -60,7 +60,6 @@ jobs:
           build-args: |
             VITE_DRUPAL_BASE_URL=${{ vars.VITE_DRUPAL_BASE_URL }}
             VITE_DRUPAL_API_PREFIX=${{ vars.VITE_DRUPAL_API_PREFIX }}
-            VITE_DRUPAL_AUTH_TOKEN=${{ secrets.VITE_DRUPAL_AUTH_TOKEN }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -117,6 +116,11 @@ jobs:
         env:
           IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           STACK_NAME: vite-portfolio
+          PORTFOLIO_HOST: ${{ vars.PORTFOLIO_HOST }}
+          TRAEFIK_NETWORK: ${{ vars.TRAEFIK_NETWORK }}
+          TRAEFIK_ENTRYPOINTS: ${{ vars.TRAEFIK_ENTRYPOINTS }}
+          DRUPAL_DB_PASSWORD: ${{ secrets.DRUPAL_DB_PASSWORD }}
+          MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }}
         run: |
           # Deploy the stack using the remote context
           docker --context remote stack deploy -c docker-stack.yml --with-registry-auth $STACK_NAME
diff --git a/README.md b/README.md
index 15bc22f..cf675bf 100644
--- a/README.md
+++ b/README.md
@@ -100,10 +100,13 @@ Set these in your GitHub repository before deploying:
 
 - Repository variable: `VITE_DRUPAL_BASE_URL`
 - Repository variable: `VITE_DRUPAL_API_PREFIX` (optional)
-- Repository secret: `VITE_DRUPAL_AUTH_TOKEN` (optional)
 - Repository variable: `PORTFOLIO_HOST` (domain Traefik should match, for example `portfolio.example.com`)
 - Repository variable: `TRAEFIK_NETWORK` (defaults to `traefik-public`)
 - Repository variable: `TRAEFIK_ENTRYPOINTS` (defaults to `web`, use `websecure` for TLS entrypoint)
+- Repository secret: `DRUPAL_DB_PASSWORD`
+- Repository secret: `MARIADB_ROOT_PASSWORD`
+
+Note: `VITE_*` values are embedded into frontend build output. Do not place private credentials in `VITE_*` variables.
 
 The `web` service is routed by Traefik (no direct host port publish on the app service). Your host Nginx can continue acting as the public reverse proxy by forwarding to Traefik's exposed entrypoint(s).