fix(infra): definitive fix for Traefik Host rule and Gatekeeper bypass

- Switched Traefik Host rules from backticks to double quotes for safety. - Used printf in deploy.yml to guarantee literal writing of environment variables. - Verified that Host rules now correctly match without shell-side side-effects. - Maintained WOFF fonts for Satori compatibility.
2026-02-12 23:34:33 +01:00
parent e47982d394
commit 4e602da15d
2 changed files with 8 additions and 8 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -85,10 +85,10 @@ jobs:

          # Standardize Traefik Rule
          if [[ "$TRAEFIK_HOST" == *","* ]]; then
-            TRAEFIK_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(`%s`)%s", $i, (i==NF?"":" || ")}')
+            TRAEFIK_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(\"%s\")%s", $i, (i==NF?"":" || ")}')
            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g')
          else
-            TRAEFIK_RULE="Host(\`$TRAEFIK_HOST\`)"
+            TRAEFIK_RULE="Host(\"$TRAEFIK_HOST\")"
            PRIMARY_HOST="$TRAEFIK_HOST"
          fi

@@ -323,7 +323,7 @@ jobs:
            echo "TARGET=$TARGET"
            echo "SENTRY_ENVIRONMENT=$TARGET"
            echo "PROJECT_NAME=$PROJECT_NAME"
-            echo "TRAEFIK_HOST_RULE=$TRAEFIK_RULE"
+            printf 'TRAEFIK_HOST_RULE=%s\n' "$TRAEFIK_RULE"
            echo "TRAEFIK_HOST=$TRAEFIK_HOST"
            echo "ENV_FILE=$ENV_FILE"
            echo "COMPOSE_PROFILES=$COMPOSE_PROFILES"