Document Forgejo Actions secrets (#102)
## Summary - Add "Forgejo Actions Secrets" section to forgejo reference card - Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow - Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync) - Add missing `build-blumeops.yaml` to workflows list - Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI) ## Context The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion. 🤖 Generated with [Claude Code](https://claude.ai/code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102
This commit is contained in:
parent
1e13d4b83d
commit
aabfcf6fc0
2 changed files with 19 additions and 2 deletions
1
docs/changelog.d/doc-forgejo-actions-secrets.doc.md
Normal file
1
docs/changelog.d/doc-forgejo-actions-secrets.doc.md
Normal file
|
|
@ -0,0 +1 @@
|
|||
Document Forgejo Actions secrets in forgejo reference card
|
||||
|
|
@ -37,10 +37,26 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored
|
|||
|
||||
**Workflows:** `.forgejo/workflows/`
|
||||
- `build-container.yaml` - Container image builds on tag
|
||||
- `build-blumeops.yaml` - Documentation builds and releases
|
||||
|
||||
## Secrets
|
||||
## Secrets (Forgejo Config)
|
||||
|
||||
Managed via 1Password: `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret`, `runner_reg`
|
||||
Server configuration secrets managed via 1Password → Ansible:
|
||||
- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
|
||||
- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])
|
||||
|
||||
## Forgejo Actions Secrets
|
||||
|
||||
Repository-level secrets for CI/CD workflows. **Not IaC** - managed in Forgejo UI at:
|
||||
`Settings → Actions → Secrets`
|
||||
|
||||
| Secret | Used By | Purpose |
|
||||
|--------|---------|---------|
|
||||
| `ARGOCD_AUTH_TOKEN` | `build-blumeops.yaml` | Sync docs app after release |
|
||||
|
||||
These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.
|
||||
|
||||
> **Note:** These secrets are also stored in 1Password ("Forgejo Secrets" item) as the source of truth, but were manually copied to Forgejo. They will not auto-update if the 1Password value changes.
|
||||
|
||||
## Related
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue