fix(build): add token discovery to prevent secret redaction breaking pnpm install

.gitea/workflows/deploy.yml

@@ -207,12 +207,20 @@ jobs:
         uses: actions/checkout@v4
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - name: 🕵️ Discover Token
+        id: discover_token
+        run: |
+          if [ -n "${{ secrets.NPM_TOKEN }}" ]; then
+            echo "token=${{ secrets.NPM_TOKEN }}" >> $GITHUB_OUTPUT
+          else
+            echo "token=${{ vars.NPM_TOKEN }}" >> $GITHUB_OUTPUT
+          fi
       - name: 🔐 Registry Login
         uses: docker/login-action@v3
         with:
           registry: git.infra.mintel.me
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.NPM_TOKEN }}
+          password: ${{ steps.discover_token.outputs.token }}
       - name: 🏗️ Build and Push
         uses: docker/build-push-action@v5
         with:
@@ -225,9 +233,10 @@ jobs:
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
             UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
             UMAMI_API_ENDPOINT=${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
+            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
           tags: git.infra.mintel.me/mmintel/klz-2026:${{ needs.prepare.outputs.image_tag }}
           secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
 
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 4: Deploy