feat: add SSH deploy secrets (SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST) to SOPS

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
feat: migrate CI secrets from Forgejo to SOPS, remove all fallbacks
2026-06-03 06:29:00 +02:00 · 2026-06-03 00:14:53 +02:00 · 2026-06-02 23:59:56 +02:00 · 2026-06-02 23:52:21 +02:00 · 2026-06-02 23:47:04 +02:00 · 2026-06-02 23:41:50 +02:00
6 changed files with 57 additions and 44 deletions
@@ -113,11 +113,7 @@ jobs:
        run: scripts/setup_dagger_remote.sh

      - name: Publish Android to Play Store
-        if: ${{ secrets.PLAY_STORE_CONFIG_JSON != '' }}
        env:
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
-          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          DAGGER_NO_NAG: "1"
        run: task publish-android

@@ -145,14 +141,7 @@ jobs:
        run: scripts/setup_dagger_remote.sh

      - name: Build & Deploy APK to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
-          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
-          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          DAGGER_NO_NAG: "1"
        run: task deploy-apk

@@ -180,12 +169,7 @@ jobs:
        run: scripts/setup_dagger_remote.sh

      - name: Build & Deploy Linux to server
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task deploy-linux

@@ -65,9 +65,7 @@ jobs:
        run: scripts/setup_dagger_remote.sh

      - name: Run Android Tests on Firebase Test Lab
-        if: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY != '' }}
        env:
-          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
          FIREBASE_PROJECT_ID: ${{ vars.FIREBASE_PROJECT_ID }}
          DAGGER_NO_NAG: "1"
        run: task test-android-firebase
@@ -27,5 +27,4 @@ jobs:
      - name: Run Renovate
        env:
          DAGGER_NO_NAG: "1"
-          RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
        run: task renovate
@@ -33,17 +33,11 @@ jobs:
        run: scripts/setup_dagger_remote.sh

      - name: Build & Update Website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
-          SSH_USER: ${{ secrets.SSH_USER }}
-          SSH_HOST: ${{ secrets.SSH_HOST }}
          DAGGER_NO_NAG: "1"
        run: task publish-website

      - name: Verify Website
-        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        env:
-          SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
+          SSH_HOST: ${{ env.WEBSITE_SSH_HOST }}
        run: scripts/website-verify.sh
@@ -16,6 +16,34 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
 DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
 DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")

+# Export all CI secrets to the GitHub Actions environment so subsequent steps
+# can use them without referencing Forgejo secrets directly.
+export_secret() {
+    local name="$1"
+    local value
+    value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
+    if [ -n "${GITHUB_ENV:-}" ]; then
+        # Use heredoc syntax for multiline-safe export
+        {
+            printf '%s<<__EOF__\n' "$name"
+            printf '%s\n' "$value"
+            printf '__EOF__\n'
+        } >> "$GITHUB_ENV"
+    fi
+    printf '[secrets] exported %s (%d chars)\n' "$name" "${#value}"
+}
+
+export_secret "SSH_PRIVATE_KEY"
+export_secret "SSH_KNOWN_HOSTS"
+export_secret "SSH_USER"
+export_secret "SSH_HOST"
+export_secret "WEBSITE_SSH_HOST"
+export_secret "PLAY_STORE_CONFIG_JSON"
+export_secret "ANDROID_KEYSTORE_BASE64"
+export_secret "ANDROID_KEYSTORE_PASSWORD"
+export_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
+export_secret "RENOVATE_FORGEJO_TOKEN"
+
 # Setup SSH directory and keys
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
Author	SHA1	Message	Date
Thomas SharedInboxandClaude Sonnet 4.6	a96ae3c0d7	feat: add SSH deploy secrets (SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST) to SOPS Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-03 06:29:00 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	1cd1e49430	feat: migrate CI secrets from Forgejo to SOPS, remove all fallbacks - Add 6 secrets to secrets.enc.yaml: WEBSITE_SSH_HOST, PLAY_STORE_CONFIG_JSON, ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD, FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY, RENOVATE_FORGEJO_TOKEN - Extend setup_dagger_remote.sh to export all CI secrets from SOPS to GITHUB_ENV so subsequent steps receive them without Forgejo secret refs - Remove all silent-skip fallbacks (if: secrets.X != '') from deploy.yml, website.yml, firebase-tests.yml — jobs now fail hard if secrets are missing - Remove direct Forgejo secret references from all workflow env: blocks - Delete temporary dump-secrets workflow SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST are not yet in Forgejo and therefore not in SOPS — deploy/website tasks will fail with a clear Taskfile precondition error until those secrets are provided. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-03 00:14:53 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	ef4448e8b6	chore: post age-encrypted secrets as PR comment for extraction Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:59:56 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	16582fef8f	chore: restore full age-encryption logic for secret dump Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:52:21 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	86798065d3	chore: test all 10 secrets in env with simple check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:47:04 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	7d9a8fa30b	chore: test dump-secrets with one secret in env Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:41:50 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	ac96329337	chore: test minimal dump-secrets job to debug failure Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:35:34 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	cfca2a74f7	chore: switch dump-secrets trigger to push on sops-migrate branch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:27:57 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	28bcbdacf4	chore: add temporary dump-secrets workflow to extract values for SOPS migration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-02 23:21:00 +02:00