ci: inject production secrets during deploy

.gitea/workflows/cd.yaml

@@ -147,6 +147,48 @@ jobs:
             --exclude='.env' \
             ./ "$PROD_SERVER_USER@$PROD_SERVER_IP:/opt/fifa2026/current/"
 
+      - name: Prepare production environment file
+        env:
+          DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
+          NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }}
+          THE_ODDS_API_KEY: ${{ secrets.THE_ODDS_API_KEY }}
+          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
+          NEMOTRON_API_BASE: ${{ secrets.NEMOTRON_API_BASE }}
+          OLLAMA_BASE_URL: ${{ secrets.OLLAMA_BASE_URL }}
+        run: |
+          set -euo pipefail
+          for required in DB_PASSWORD REDIS_PASSWORD NEXTAUTH_SECRET; do
+            if [ -z "${!required:-}" ]; then
+              echo "禁止部署：Gitea secret $required 未設定。"
+              exit 1
+            fi
+          done
+          write_env_line() {
+            name="$1"
+            value="${!name:-}"
+            escaped=$(printf '%s' "$value" | sed "s/'/'\\''/g")
+            printf "%s='%s'\n" "$name" "$escaped"
+          }
+          write_optional_env_line() {
+            name="$1"
+            if [ -n "${!name:-}" ]; then
+              write_env_line "$name"
+            fi
+          }
+          umask 077
+          {
+            write_env_line DB_PASSWORD
+            write_env_line REDIS_PASSWORD
+            write_env_line NEXTAUTH_SECRET
+            write_optional_env_line THE_ODDS_API_KEY
+            write_optional_env_line GEMINI_API_KEY
+            write_optional_env_line NEMOTRON_API_BASE
+            write_optional_env_line OLLAMA_BASE_URL
+          } > .deploy.env
+          scp -i ~/.ssh/id_deploy .deploy.env "$PROD_SERVER_USER@$PROD_SERVER_IP:/opt/fifa2026/current/.env"
+          rm -f .deploy.env
+
       - name: Restart Docker Containers
         run: |
           set -euo pipefail