c6d2c068d3
Some checks failed
CI / sonarqube (push) Has been cancelled
- .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD directly into the remote script (the runner masks the secret with *** which broke the <(echo '...') process substitution at runtime) - inject the password as VAULT_PASS through appleboy/ssh-action's envs: forwarding so it never appears in the rendered script - on the remote, write it to a mktemp file with chmod 600 and remove the file via trap on EXIT, then point ansible-playbook --vault-password-file at that temp file - use printf '%s' instead of echo to avoid adding a stray newline to the vault password - add set -e so the script fails fast if any step errors Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>