Improve security check to avoid false positives

Updated secret detection to look for actual hardcoded tokens (pk./sk. patterns) rather than environment variable references. This prevents false positives when using process.env.MAPBOX_ACCESS_TOKEN correctly.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

.forgejo/workflows/ci.yml

@@ -142,11 +142,19 @@ jobs:
       - name: Check for secrets
         run: |
           echo "Checking for potential secrets..."
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "MAPBOX_ACCESS_TOKEN" || \
-          (echo "❌ Found hardcoded Mapbox token!" && exit 1)
+          # Check for hardcoded Mapbox tokens (pk. or sk. prefixes)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded Mapbox token!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "(pk\.|sk\.)[a-zA-Z0-9]{50,}"
+            exit 1
+          fi
           
-          ! find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -l "ADMIN_PASSWORD" || \
-          (echo "❌ Found hardcoded admin password!" && exit 1)
+          # Check for hardcoded admin passwords (avoid env var references)
+          if find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]" > /dev/null 2>&1; then
+            echo "❌ Found hardcoded admin password!"
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -v dist | grep -v .git | xargs grep -E "ADMIN_PASSWORD.*=.*['\"][^'\"]*['\"]"
+            exit 1
+          fi
           
           echo "✅ No hardcoded secrets found"