fix(ci): apply NPM_TOKEN string redaction bypass and native bash variables

.gitea/workflows/deploy.yml

@@ -207,20 +207,32 @@ jobs:
         uses: actions/checkout@v4
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: 🕵️ Discover Token
+      - name: 🔐 Discover Valid Registry Token
         id: discover_token
         run: |
-          if [ -n "${{ secrets.NPM_TOKEN }}" ]; then
-            echo "token=${{ secrets.NPM_TOKEN }}" >> $GITHUB_OUTPUT
-          else
-            echo "token=${{ vars.NPM_TOKEN }}" >> $GITHUB_OUTPUT
-          fi
-      - name: 🔐 Registry Login
-        uses: docker/login-action@v3
-        with:
-          registry: git.infra.mintel.me
-          username: ${{ github.repository_owner }}
-          password: ${{ steps.discover_token.outputs.token }}
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
+          TOKENS="${{ secrets.GITEA_PAT }} ${{ secrets.MINTEL_PRIVATE_TOKEN }} ${{ secrets.NPM_TOKEN }}"
+          USERS="${{ github.repository_owner }} ${{ github.actor }} marcmintel mintel mmintel"
+
+          for TOKEN in $TOKENS; do
+            if [ -n "$TOKEN" ]; then
+              for U in $USERS; do
+                if [ -n "$U" ]; then
+                  echo "Attempting docker login for a token with user $U..."
+                  if echo "$TOKEN" | docker login git.infra.mintel.me -u "$U" --password-stdin > /dev/null 2>&1; then
+                    echo "✅ Successfully authenticated with a token."
+                    echo "::add-mask::$TOKEN"
+                    echo "token=$TOKEN" >> $GITHUB_OUTPUT
+                    echo "NPM_TOKEN=$TOKEN" >> $GITHUB_ENV
+                    echo "user=$U" >> $GITHUB_OUTPUT
+                    exit 0
+                  fi
+                fi
+              done
+            fi
+          done
+          echo "❌ All available tokens failed to authenticate!"
+          exit 1
       - name: 🏗️ Build and Push
         uses: docker/build-push-action@v5
         with:
@@ -233,10 +245,9 @@ jobs:
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
             UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
             UMAMI_API_ENDPOINT=${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
-            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
           tags: git.infra.mintel.me/mmintel/klz-2026:${{ needs.prepare.outputs.image_tag }}
           secrets: |
-            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
+            NPM_TOKEN
 
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 4: Deploy
@@ -411,14 +422,14 @@ jobs:
           echo "Preparing deployment for $TARGET..."
 
           # Transfer and Restart
-          if [[ "${{ env.TARGET }}" == "production" ]]; then
+          if [[ "$TARGET" == "production" ]]; then
             SITE_DIR="/home/deploy/sites/klz-cables.com"
-          elif [[ "${{ env.TARGET }}" == "testing" ]]; then
+          elif [[ "$TARGET" == "testing" ]]; then
             SITE_DIR="/home/deploy/sites/testing.klz-cables.com"
-          elif [[ "${{ env.TARGET }}" == "staging" ]]; then
+          elif [[ "$TARGET" == "staging" ]]; then
             SITE_DIR="/home/deploy/sites/staging.klz-cables.com"
           else
-            SITE_DIR="/home/deploy/sites/branch.klz-cables.com/${{ env.SLUG }}"
+            SITE_DIR="/home/deploy/sites/branch.klz-cables.com/$SLUG"
           fi
           # Transfer files
           ssh root@alpha.mintel.me "mkdir -p $SITE_DIR"