- Add 6 secrets to secrets.enc.yaml: WEBSITE_SSH_HOST, PLAY_STORE_CONFIG_JSON,
ANDROID_KEYSTORE_BASE64, ANDROID_KEYSTORE_PASSWORD,
FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY, RENOVATE_FORGEJO_TOKEN
- Extend setup_dagger_remote.sh to export all CI secrets from SOPS to
GITHUB_ENV so subsequent steps receive them without Forgejo secret refs
- Remove all silent-skip fallbacks (if: secrets.X != '') from deploy.yml,
website.yml, firebase-tests.yml — jobs now fail hard if secrets are missing
- Remove direct Forgejo secret references from all workflow env: blocks
- Delete temporary dump-secrets workflow
SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, SSH_USER, SSH_HOST are not yet in Forgejo
and therefore not in SOPS — deploy/website tasks will fail with a clear
Taskfile precondition error until those secrets are provided.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
