From aaf50905093efce803649ab55ccb86d0e45cdbb4 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 3 Feb 2026 17:17:44 -0800
Subject: [PATCH] Remove ARGOCD_AUTH_TOKEN from external secret

Workflow secrets come from Forgejo's secret store, not runner env.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 argocd/manifests/forgejo-runner/external-secret.yaml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/argocd/manifests/forgejo-runner/external-secret.yaml b/argocd/manifests/forgejo-runner/external-secret.yaml
index d9cec70..0b8ae7e 100644
--- a/argocd/manifests/forgejo-runner/external-secret.yaml
+++ b/argocd/manifests/forgejo-runner/external-secret.yaml
@@ -3,9 +3,7 @@
 # Replaces the manual op inject workflow from secret.yaml.tpl
 #
 # 1Password item: "Forgejo Secrets" in blumeops vault
-# Fields:
-#   - runner_reg: Runner registration token
-#   - argocd_token: API token for workflow-bot account (for auto-deploying docs)
+# Field: runner_reg (runner registration token)
 #
 # Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
 # via template since they don't need to be in 1Password.
@@ -29,13 +27,8 @@ spec:
         RUNNER_NAME: "k8s-runner"
         RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.0"
         RUNNER_TOKEN: "{{ .runner_token }}"
-        ARGOCD_AUTH_TOKEN: "{{ .argocd_token }}"
   data:
   - secretKey: runner_token
     remoteRef:
       key: Forgejo Secrets
       property: runner_reg
-  - secretKey: argocd_token
-    remoteRef:
-      key: Forgejo Secrets
-      property: argocd_token