- .gitea/workflows/deploy.yml: the bot user on the new prod host has
fish as its login shell, which rejects bash syntax (set -e, VAR=...,
$(...), trap, process substitution). Wrap the entire deploy script
in `bash -c '...'` so fish only spawns a bash subprocess and the
script itself is parsed by bash.
- Forward DEPLOY_PATH alongside VAULT_PASS through appleboy/ssh-action
envs: so the bash subprocess inherits both, instead of interpolating
the secret directly into the rendered script (where masking would
collide with the cd argument).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
d5b08aaae2