fix(ci): pass TAG/REGISTRY_TOKEN into remote shell in dev deploy #737
Reference in New Issue
Block a user
Delete Branch "fix/deploy-dev-var-expansion"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
The dev deploy (
custom/deploy-dev.yml) has never succeeded — every run fails at the Docker build with:This blocked the runtime-validation gate for the org-governance release (#733): the migrations and server boot never got exercised because the image never built.
Root cause
The build/deploy step used an unquoted SSH heredoc (
<<DEPLOY_EOF) and referenced runner-side values as\$TAG/\$REGISTRY_TOKEN. The backslash defers expansion to the remote shell — but those variables only exist on the runner (the step'senv:). On the remote side they're unset, so the tag collapsed tomokogitea:(empty) → invalid reference format.REGISTRY_TOKENhad the same defect (remotedocker loginwould have received the literal string$REGISTRY_TOKEN), andHEALTH_FMTwas defined on the runner but referenced remotely.This was not caused by the org-governance code — that compiles and vets clean locally (
go build ./...clean,go vetclean on 380 packages).Fix
TAG='...' REGISTRY_TOKEN='...' bash -s.<<'DEPLOY_EOF') so every$varin the script expands in exactly one place — the remote host. Removes the fragile local/remote expansion mix that caused the bug.HEALTH_FMTinto the remote script body.Actions
${{ env.* }}expressions are unaffected (templated before bash runs, independent of heredoc quoting).Validation
dev, the push auto-triggersdeploy-dev.yml— this is the real runtime gate for #733 (image builds, migrations 362–366 apply, container reports healthy).https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT