From b5b02238a76fa5fb85fc099e089d43b11b4a4166 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Sat, 28 Mar 2026 14:45:09 -0400
Subject: [PATCH] chore: removes WAF bypass token (BFM disabled)

---
 .github/workflows/deploy.yml |  2 --
 scripts/waf-smoke-test.sh    | 10 +---------
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index d877e5c..b3151d2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -22,8 +22,6 @@ jobs:
         run: node scripts/verify-csp-hash.mjs
       - name: WAF smoke tests
         run: pnpm test:waf
-        env:
-          WAF_BYPASS_TOKEN: ${{ secrets.WAF_BYPASS_TOKEN }}
       - run: pnpm run build
         env:
           VITE_GITHUB_CLIENT_ID: ${{ vars.VITE_GITHUB_CLIENT_ID }}
diff --git a/scripts/waf-smoke-test.sh b/scripts/waf-smoke-test.sh
index a23d05b..7017caf 100755
--- a/scripts/waf-smoke-test.sh
+++ b/scripts/waf-smoke-test.sh
@@ -14,14 +14,6 @@ BASE="https://gh.gordoncode.dev"
 PASS=0
 FAIL=0
 
-# When WAF_BYPASS_TOKEN is set (CI), send a header that a Cloudflare WAF rule
-# uses to skip Bot Fight Mode for this request. Without it (local dev), requests
-# pass through normally since residential IPs aren't challenged.
-BYPASS=()
-if [[ -n "${WAF_BYPASS_TOKEN:-}" ]]; then
-  BYPASS=(-H "X-CI-Bypass: ${WAF_BYPASS_TOKEN}")
-fi
-
 assert_status() {
   local expected="$1" actual="$2" label="$3"
   if [[ "$actual" == "$expected" ]]; then
@@ -34,7 +26,7 @@ assert_status() {
 }
 
 fetch() {
-  curl -s -o /dev/null -w "%{http_code}" "${BYPASS[@]}" "$@"
+  curl -s -o /dev/null -w "%{http_code}" "$@"
 }
 
 # ============================================================