- Add 6 secrets to secrets.enc.yaml: WEBSITE_SSH_HOST, PLAY_STORE_CONFIG_JSON,
ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD,
FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY, RENOVATE_FORGEJO_TOKEN
- Extend setup_dagger_remote.sh to export all CI secrets from SOPS to
GITHUB_ENV so subsequent steps receive them without Forgejo secret refs
- Remove all silent-skip fallbacks (if: secrets.X != '') from deploy.yml,
website.yml, firebase-tests.yml — jobs now fail hard if secrets are missing
- Remove direct Forgejo secret references from all workflow env: blocks
- Delete temporary dump-secrets workflow
SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST are not yet in Forgejo
and therefore not in SOPS — deploy/website tasks will fail with a clear
Taskfile precondition error until those secrets are provided.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace `task website-deploy` (which calls `hugo` directly and fails
because Hugo is not installed on the CI runner) with the Dagger-based
`task publish-website`, matching the pattern used by other jobs in
deploy.yml. Also adds Dagger remote engine setup, runner tool checks,
SSH_KNOWN_HOSTS secret, a timeout, and TLS credential cleanup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- website/layouts/_partials/extend_head.html: injects <meta name="x-version">
using HUGO_PARAMS_GITVERSION (set by Taskfile at build time)
- Taskfile: website-build sets HUGO_PARAMS_GITVERSION=<short HEAD>;
new website-verify task runs scripts/website-verify.sh
- scripts/website-verify.sh: fetches homepage, retries 6x/10s, checks
that the deployed version hash matches HEAD
- website.yml: Verify step after Deploy; scripts/website-verify.sh added
to path trigger
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
enough_mail is a pub dependency, not a vendored package.
Add missing 'Enable Nix flakes' step to website.yml (matching ci.yml)
and remove redundant branch condition already handled by the trigger.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
