From 5b433492058108c86f9df694c761fb948094d662 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Sat, 7 Feb 2026 00:49:36 +0100
Subject: [PATCH] fix: prevent backtick expansion in env generation and fix
 traefik rules

---
 .gitea/workflows/deploy.yml | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 1c9ae7b9..c5f20fd9 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -118,10 +118,11 @@ jobs:
           fi
 
           if [[ "$TRAEFIK_HOST" == *","* ]]; then
-            # Convert "a.com, b.com" to "Host(`a.com`) || Host(`b.com`)"
-            TRAEFIK_HOST_RULE=$(echo "$TRAEFIK_HOST" | sed "s/, / /g" | sed "s/,/ /g" | awk '{for(i=1;i<=NF;i++) printf "Host(`%s`)%s", $i, (i==NF?"":" || ")}')
-            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | xargs)
+            # Multi-domain: Host(`a.com`) || Host(`b.com`)
+            TRAEFIK_HOST_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(`%s`)%s", $i, (i==NF?"":" || ")}')
+            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g')
           else
+            # Single domain: Host(`domain.com`)
             TRAEFIK_HOST_RULE="Host(\`$TRAEFIK_HOST\`)"
             PRIMARY_HOST="$TRAEFIK_HOST"
           fi
@@ -281,15 +282,19 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null
 
+          # Generated by CI - $TARGET - $(date -u)
+          # Determine dynamic values before writing the file
+          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
+          COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+
           cat > /tmp/klz-cables.env << EOF
           # Generated by CI - $TARGET - $(date -u)
-          NODE_ENV=production
+          IMAGE_TAG=$IMAGE_TAG
           NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL
-          NEXT_PUBLIC_TARGET=$TARGET
           NEXT_PUBLIC_UMAMI_WEBSITE_ID=$NEXT_PUBLIC_UMAMI_WEBSITE_ID
           UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT
           SENTRY_DSN=$SENTRY_DSN
-          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
+          LOG_LEVEL=$LOG_LEVEL
           MAIL_HOST=$MAIL_HOST
           MAIL_PORT=$MAIL_PORT
           MAIL_USERNAME=$MAIL_USERNAME
@@ -313,13 +318,15 @@ jobs:
 
           TARGET=$TARGET
           SENTRY_ENVIRONMENT=$TARGET
-          AUTH_MIDDLEWARE=$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-compress" )
           PROJECT_NAME=$PROJECT_NAME
-          COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
+          COOKIE_DOMAIN=$COOKIE_DOMAIN
           TRAEFIK_HOST=$TRAEFIK_HOST
-          TRAEFIK_HOST_RULE='${{ needs.prepare.outputs.traefik_host_rule }}'
           EOF
 
+          # Append complex variables that contain backticks using printf to avoid shell expansion hits
+          printf "AUTH_MIDDLEWARE=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "${PROJECT_NAME}-compress" || echo "${PROJECT_NAME}-auth,${PROJECT_NAME}-compress" )" >> /tmp/klz-cables.env
+          printf "TRAEFIK_HOST_RULE='%s'\n" '${{ needs.prepare.outputs.traefik_host_rule }}' >> /tmp/klz-cables.env
+
           # 1. Cleanup and Create Directories on server BEFORE SCP
           ssh -o StrictHostKeyChecking=accept-new root@alpha.mintel.me bash << 'EOF'
             set -e