From fdfc45f1c996739d771eba1793bf0b0685c3d8cf Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <sharang@meghsakha.com>
Date: Mon, 18 May 2026 23:06:21 +0200
Subject: [PATCH] ci(portal): fix pnpm test invocation + inject AUTH_SECRET at
 build

Two CI bugs the M0.2 ci-typescript.yaml template carried into portal:

1. 'pnpm test --coverage' is parsed as a pnpm option, not script args
   ('Unknown option: coverage'). Drop the extra flag; the package.json
   test script already runs 'vitest run --coverage'.

2. 'next build' requires AUTH_SECRET at compile time because Auth.js
   v5 reads it during route generation. Inject a per-build dummy
   secret in CI (production gets the real one via Orca env from
   Infisical).

Refs: M5.1
---
 .gitea/workflows/ci.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 664d7ad..5af2052 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -72,11 +72,17 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm lint
       - run: pnpm typecheck
-      - run: pnpm test --coverage
+      # `pnpm test` already includes --coverage via the package.json script.
+      - run: pnpm test
       - name: coverage gate
         run: |
           node -e "const c=require('./coverage/coverage-summary.json').total.lines.pct; if (c<70) { console.error('coverage', c, '< 70%'); process.exit(1) }"
-      - run: pnpm build
+      - name: build
+        env:
+          # Required at build-time by Auth.js. Replaced by Infisical-sourced
+          # secret in stage/prod via Orca env injection (M5.1+).
+          AUTH_SECRET: ci-build-dummy-${{ github.sha }}
+        run: pnpm build
 
   e2e:
     needs: test