From 1e7791431432ca4474450bb547fdf1bcbcf9896e Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 11 Feb 2026 19:05:36 +0100
Subject: [PATCH] fix: ensure COMPOSE_PROFILES and AUTH_MIDDLEWARE are
 correctly populated in env file

---
 .gitea/workflows/deploy.yml | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1785b38b..b38258bd 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -221,9 +221,21 @@ jobs:
           TRAEFIK_RULE:     ${{ needs.prepare.outputs.traefik_rule }}
           ENV_FILE:         ${{ needs.prepare.outputs.env_file }}
         run: |
-          # Generate Environment File
+          # Middleware Selection Logic
+          # Regular app routes get auth on non-production
+          # Unprotected routes (/stats, /errors) never get auth
           LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
           COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+          STD_MW="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-compress"
+          
+          if [[ "$TARGET" == "production" ]]; then
+            AUTH_MIDDLEWARE="$STD_MW"
+            COMPOSE_PROFILES=""
+          else
+            AUTH_MIDDLEWARE="${PROJECT_NAME}-auth,$STD_MW"
+            COMPOSE_PROFILES="gatekeeper"
+          fi
+          AUTH_MIDDLEWARE_UNPROTECTED="$STD_MW"
 
           cat > .env.deploy << EOF
           # Generated by CI - $TARGET
@@ -265,22 +277,10 @@ jobs:
           TRAEFIK_HOST_RULE='$TRAEFIK_RULE'
           ENV_FILE=$ENV_FILE
           COMPOSE_PROFILES=$COMPOSE_PROFILES
+          AUTH_MIDDLEWARE=$AUTH_MIDDLEWARE
+          AUTH_MIDDLEWARE_UNPROTECTED=$AUTH_MIDDLEWARE_UNPROTECTED
           EOF
 
-          # Middleware Selection Logic
-          # Regular app routes get auth on non-production
-          # Unprotected routes (/stats, /errors) never get auth
-          STD_MW="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-compress"
-          
-          if [[ "$TARGET" == "production" ]]; then
-            printf "AUTH_MIDDLEWARE=%s\n" "$STD_MW" >> .env.deploy
-            COMPOSE_PROFILES=""
-          else
-            printf "AUTH_MIDDLEWARE=%s\n" "${PROJECT_NAME}-auth,$STD_MW" >> .env.deploy
-            COMPOSE_PROFILES="gatekeeper"
-          fi
-          printf "AUTH_MIDDLEWARE_UNPROTECTED=%s\n" "$STD_MW" >> .env.deploy
-
       - name: 🚀 SSH Deploy
         shell: bash
         env: