From 237d68bc5adab153b5d41ecd53872c2831e6ac97 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 4 Mar 2026 15:29:51 +0100
Subject: [PATCH] fix(ci): assign TOKEN=VALID_TOKEN before .npmrc write in QA
 step

---
 .gitea/workflows/deploy.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 10f8f72..8548077 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -206,19 +206,16 @@ jobs:
 
           if [ -z "$VALID_TOKEN" ]; then
             echo "❌ All token/user combinations failed to authenticate!"
-            # For diagnostic exfiltration, try one openly:
             T=$(echo "$TOKENS" | awk '{print $1}')
             echo "Attempting open diagnostic login with first token and user mmintel..."
             echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin || true
             exit 1
           fi
 
-          echo "::add-mask::$VALID_TOKEN"
-          echo "token=$VALID_TOKEN" >> $GITHUB_OUTPUT
-          echo "user=$VALID_USER" >> $GITHUB_OUTPUT
-
-          # Mask token in logs (just in case, but Gitea usually does this automatically)
+          TOKEN="$VALID_TOKEN"
           echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+          echo "user=$VALID_USER" >> $GITHUB_OUTPUT
 
           echo "Configuring .npmrc for git.infra.mintel.me..."
           echo "@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/" > .npmrc