From aabfcf6fc095123175ae80092bdb8893788c9db5 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 4 Feb 2026 07:32:32 -0800
Subject: [PATCH] Document Forgejo Actions secrets (#102)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Add "Forgejo Actions Secrets" section to forgejo reference card
- Document that `ARGOCD_AUTH_TOKEN` is used by `build-blumeops.yaml` workflow
- Note that secrets are stored in 1Password but manually copied to Forgejo (no auto-sync)
- Add missing `build-blumeops.yaml` to workflows list
- Clarify distinction between server config secrets (1Password → Ansible) vs CI/CD secrets (Forgejo UI)

## Context
The forgejo-runner ArgoCD app was showing OutOfSync because a previous attempt stored `argocd_token` in the ExternalSecret. This was incorrect - the token is actually a Forgejo Actions secret, not a k8s secret. Synced the app to remove the drift and added documentation to prevent future confusion.

🤖 Generated with [Claude Code](https://claude.ai/code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/102
---
 .../doc-forgejo-actions-secrets.doc.md        |  1 +
 docs/reference/services/forgejo.md            | 20 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 docs/changelog.d/doc-forgejo-actions-secrets.doc.md

diff --git a/docs/changelog.d/doc-forgejo-actions-secrets.doc.md b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md
new file mode 100644
index 0000000..d2e2e15
--- /dev/null
+++ b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md
@@ -0,0 +1 @@
+Document Forgejo Actions secrets in forgejo reference card
diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md
index 5bef9e6..16bb5f8 100644
--- a/docs/reference/services/forgejo.md
+++ b/docs/reference/services/forgejo.md
@@ -37,10 +37,26 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored
 
 **Workflows:** `.forgejo/workflows/`
 - `build-container.yaml` - Container image builds on tag
+- `build-blumeops.yaml` - Documentation builds and releases
 
-## Secrets
+## Secrets (Forgejo Config)
 
-Managed via 1Password: `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret`, `runner_reg`
+Server configuration secrets managed via 1Password → Ansible:
+- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens
+- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]])
+
+## Forgejo Actions Secrets
+
+Repository-level secrets for CI/CD workflows. **Not IaC** - managed in Forgejo UI at:
+`Settings → Actions → Secrets`
+
+| Secret | Used By | Purpose |
+|--------|---------|---------|
+| `ARGOCD_AUTH_TOKEN` | `build-blumeops.yaml` | Sync docs app after release |
+
+These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files.
+
+> **Note:** These secrets are also stored in 1Password ("Forgejo Secrets" item) as the source of truth, but were manually copied to Forgejo. They will not auto-update if the 1Password value changes.
 
 ## Related