A common GitLab CI failure is not that the deploy script is wrong. It is that the pipeline expects a variable nobody documented. Example: stages : - deploy deploy_production : stage : deploy image : alpine:3.20 script : - test -n "$DEPLOY_TOKEN" - echo "Deploying $NEXT_PUBLIC_APP_URL" - ./scripts/deploy.sh --token "$DEPLOY_TOKEN" Enter fullscreen mode Exit fullscreen mode And the repo contract says only this: NEXT_PUBLIC_APP_URL= Enter fullscreen mode Exit fullscreen mode DEPLOY_TOKEN exists as an assumption in the pipeline, but not in .env.example or .env.dist . That means a reviewer can approve the pipeline change without realizing that someone still needs to configure a GitLab CI/CD Variable before deploy. Why this is deployment drift The actual secret value belongs in GitLab CI/CD Variables. The variable name belongs in the repo's environment contract.…