diff --git a/docs/changelog.d/doc-forgejo-actions-secrets.doc.md b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md
new file mode 100644
index 0000000..d2e2e15
--- /dev/null
+++ b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md
@@ -0,0 +1 @@
+Document Forgejo Actions secrets in forgejo reference card
diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md
index 5bef9e6..16bb5f8 100644
--- a/docs/reference/services/forgejo.md
+++ b/docs/reference/services/forgejo.md
@@ -37,10 +37,26 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored
 
 **Workflows:** `.forgejo/workflows/`
 - `build-container.yaml` - Container image builds on tag
+- `build-blumeops.yaml` - Documentation builds and releases
 
-## Secrets
+## Secrets (Forgejo Config)
 
-Managed via 1Password: `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret`, `runner_reg`
+Server configuration secrets managed via 1Password → Ansible:
+- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
+- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])
+
+## Forgejo Actions Secrets
+
+Repository-level secrets for CI/CD workflows. **Not IaC** - managed in Forgejo UI at:
+`Settings → Actions → Secrets`
+
+| Secret | Used By | Purpose |
+|--------|---------|---------|
+| `ARGOCD_AUTH_TOKEN` | `build-blumeops.yaml` | Sync docs app after release |
+
+These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.
+
+> **Note:** These secrets are also stored in 1Password ("Forgejo Secrets" item) as the source of truth, but were manually copied to Forgejo. They will not auto-update if the 1Password value changes.
 
 ## Related