guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

chore: migrate CI secrets from Forgejo to SOPS #354

Merged
guettlibot merged 9 commits from sops-migrate into main 2026-06-03 04:37:10 +00:00
Conversation 1 Commits 9 Files Changed 6
+1602 -9612
9 Commits
Author SHA1 Message Date
Thomas SharedInboxandClaude Sonnet 4.6 a96ae3c0d7 feat: add SSH deploy secrets (SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST) to SOPS 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-03 06:29:00 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 1cd1e49430 feat: migrate CI secrets from Forgejo to SOPS, remove all fallbacks 
- Add 6 secrets to secrets.enc.yaml: WEBSITE_SSH_HOST, PLAY_STORE_CONFIG_JSON,
  ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD,
  FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY, RENOVATE_FORGEJO_TOKEN
- Extend setup_dagger_remote.sh to export all CI secrets from SOPS to
  GITHUB_ENV so subsequent steps receive them without Forgejo secret refs
- Remove all silent-skip fallbacks (if: secrets.X != '') from deploy.yml,
  website.yml, firebase-tests.yml — jobs now fail hard if secrets are missing
- Remove direct Forgejo secret references from all workflow env: blocks
- Delete temporary dump-secrets workflow

SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST are not yet in Forgejo
and therefore not in SOPS — deploy/website tasks will fail with a clear
Taskfile precondition error until those secrets are provided.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-03 00:14:53 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 ef4448e8b6 chore: post age-encrypted secrets as PR comment for extraction 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:59:56 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 16582fef8f chore: restore full age-encryption logic for secret dump 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:52:21 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 86798065d3 chore: test all 10 secrets in env with simple check 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:47:04 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 7d9a8fa30b chore: test dump-secrets with one secret in env 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:41:50 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 ac96329337 chore: test minimal dump-secrets job to debug failure 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:35:34 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 cfca2a74f7 chore: switch dump-secrets trigger to push on sops-migrate branch 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:27:57 +02:00
Thomas SharedInboxandClaude Sonnet 4.6 28bcbdacf4 chore: add temporary dump-secrets workflow to extract values for SOPS migration 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-06-02 23:21:00 +02:00