Remove ARGOCD_AUTH_TOKEN from external secret

Workflow secrets come from Forgejo's secret store, not runner env. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:17:44 -08:00 · 2026-02-03 17:17:44 -08:00 · aaf5090509
commit aaf5090509
parent 492aa9a104
1 changed files with 1 additions and 8 deletions
--- a/argocd/manifests/forgejo-runner/external-secret.yaml
+++ b/argocd/manifests/forgejo-runner/external-secret.yaml
@ -3,9 +3,7 @@
 # Replaces the manual op inject workflow from secret.yaml.tpl
 #
 # 1Password item: "Forgejo Secrets" in blumeops vault
-# Fields:
-#   - runner_reg: Runner registration token
-#   - argocd_token: API token for workflow-bot account (for auto-deploying docs)
+# Field: runner_reg (runner registration token)
 #
 # Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
 # via template since they don't need to be in 1Password.
@ -29,13 +27,8 @@ spec:
        RUNNER_NAME: "k8s-runner"
        RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.0"
        RUNNER_TOKEN: "{{ .runner_token }}"
-        ARGOCD_AUTH_TOKEN: "{{ .argocd_token }}"
  data:
  - secretKey: runner_token
    remoteRef:
      key: Forgejo Secrets
      property: runner_reg
-  - secretKey: argocd_token
-    remoteRef:
-      key: Forgejo Secrets
-      property: argocd_token