From 618a60dd11d2052e992ff487c2c979d127a3819f Mon Sep 17 00:00:00 2001
From: IwanIDev <iwan@iwani.dev>
Date: Fri, 20 Mar 2026 14:05:11 +0000
Subject: Update deployment variables setup

---
 .github/workflows/docker_build.yml | 6 +++++-
 README.md                          | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
index 76299c9..047a318 100644
--- a/.github/workflows/docker_build.yml
+++ b/.github/workflows/docker_build.yml
@@ -60,7 +60,6 @@ jobs:
           build-args: |
             VITE_DRUPAL_BASE_URL=${{ vars.VITE_DRUPAL_BASE_URL }}
             VITE_DRUPAL_API_PREFIX=${{ vars.VITE_DRUPAL_API_PREFIX }}
-            VITE_DRUPAL_AUTH_TOKEN=${{ secrets.VITE_DRUPAL_AUTH_TOKEN }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -117,6 +116,11 @@ jobs:
         env:
           IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           STACK_NAME: vite-portfolio
+          PORTFOLIO_HOST: ${{ vars.PORTFOLIO_HOST }}
+          TRAEFIK_NETWORK: ${{ vars.TRAEFIK_NETWORK }}
+          TRAEFIK_ENTRYPOINTS: ${{ vars.TRAEFIK_ENTRYPOINTS }}
+          DRUPAL_DB_PASSWORD: ${{ secrets.DRUPAL_DB_PASSWORD }}
+          MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }}
         run: |
           # Deploy the stack using the remote context
           docker --context remote stack deploy -c docker-stack.yml --with-registry-auth $STACK_NAME
diff --git a/README.md b/README.md
index 15bc22f..cf675bf 100644
--- a/README.md
+++ b/README.md
@@ -100,10 +100,13 @@ Set these in your GitHub repository before deploying:
 
 - Repository variable: `VITE_DRUPAL_BASE_URL`
 - Repository variable: `VITE_DRUPAL_API_PREFIX` (optional)
-- Repository secret: `VITE_DRUPAL_AUTH_TOKEN` (optional)
 - Repository variable: `PORTFOLIO_HOST` (domain Traefik should match, for example `portfolio.example.com`)
 - Repository variable: `TRAEFIK_NETWORK` (defaults to `traefik-public`)
 - Repository variable: `TRAEFIK_ENTRYPOINTS` (defaults to `web`, use `websecure` for TLS entrypoint)
+- Repository secret: `DRUPAL_DB_PASSWORD`
+- Repository secret: `MARIADB_ROOT_PASSWORD`
+
+Note: `VITE_*` values are embedded into frontend build output. Do not place private credentials in `VITE_*` variables.
 
 The `web` service is routed by Traefik (no direct host port publish on the app service). Your host Nginx can continue acting as the public reverse proxy by forwarding to Traefik's exposed entrypoint(s).
 
-- 
cgit