chore: migrate CI secrets from Forgejo to SOPS (#354)

scripts/setup_dagger_remote.sh

@@ -16,6 +16,34 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
 DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
 
+# Export all CI secrets to the GitHub Actions environment so subsequent steps
+# can use them without referencing Forgejo secrets directly.
+export_secret() {
+    local name="$1"
+    local value
+    value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
+    if [ -n "${GITHUB_ENV:-}" ]; then
+        # Use heredoc syntax for multiline-safe export
+        {
+            printf '%s<<__EOF__\n' "$name"
+            printf '%s\n' "$value"
+            printf '__EOF__\n'
+        } >> "$GITHUB_ENV"
+    fi
+    printf '[secrets] exported %s (%d chars)\n' "$name" "${#value}"
+}
+
+export_secret "SSH_PRIVATE_KEY"
+export_secret "SSH_KNOWN_HOSTS"
+export_secret "SSH_USER"
+export_secret "SSH_HOST"
+export_secret "WEBSITE_SSH_HOST"
+export_secret "PLAY_STORE_CONFIG_JSON"
+export_secret "ANDROID_KEYSTORE_BASE64"
+export_secret "ANDROID_KEYSTORE_PASSWORD"
+export_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
+export_secret "RENOVATE_FORGEJO_TOKEN"
+
 # Setup SSH directory and keys
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh