Extend forgejo_actions_secrets role to support multiple repos

Uses subelements loop to sync secrets across repos. Adds FORGE_TOKEN to the cv repo for package uploads. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 11:15:28 -08:00 · 2026-02-12 11:15:28 -08:00 · cd25dae8f9
commit cd25dae8f9
parent 01e19023ee
2 changed files with 17 additions and 12 deletions
--- a/ansible/roles/forgejo_actions_secrets/defaults/main.yml
+++ b/ansible/roles/forgejo_actions_secrets/defaults/main.yml
@ -6,12 +6,17 @@

 forgejo_actions_secrets_api_url: "https://forge.ops.eblu.me/api/v1"
 forgejo_actions_secrets_owner: eblume
-forgejo_actions_secrets_repo: blumeops

-# Secrets to sync: list of {name: "SECRET_NAME", value_var: "ansible_fact_name"}
-# The value_var references an Ansible fact set in playbook pre_tasks
-forgejo_actions_secrets_list:
-  - name: ARGOCD_AUTH_TOKEN
-    value_var: forgejo_secret_argocd_token
-  - name: FLY_DEPLOY_TOKEN
-    value_var: forgejo_secret_fly_deploy_token
+# Secrets to sync per repo.
+# Each entry: {repo: "name", secrets: [{name: "SECRET_NAME", value_var: "ansible_fact_name"}]}
+forgejo_actions_secrets_repos:
+  - repo: blumeops
+    secrets:
+      - name: ARGOCD_AUTH_TOKEN
+        value_var: forgejo_secret_argocd_token
+      - name: FLY_DEPLOY_TOKEN
+        value_var: forgejo_secret_fly_deploy_token
+  - repo: cv
+    secrets:
+      - name: FORGE_TOKEN
+        value_var: forgejo_api_token
--- a/ansible/roles/forgejo_actions_secrets/tasks/main.yml
+++ b/ansible/roles/forgejo_actions_secrets/tasks/main.yml
@ -13,20 +13,20 @@

 - name: Sync Actions secrets to Forgejo
  ansible.builtin.uri:
-    url: "{{ forgejo_actions_secrets_api_url }}/repos/{{ forgejo_actions_secrets_owner }}/{{ forgejo_actions_secrets_repo }}/actions/secrets/{{ item.name }}"
+    url: "{{ forgejo_actions_secrets_api_url }}/repos/{{ forgejo_actions_secrets_owner }}/{{ item.0.repo }}/actions/secrets/{{ item.1.name }}"
    method: PUT
    headers:
      Authorization: "token {{ forgejo_api_token }}"
      Content-Type: "application/json"
    body_format: json
    body:
-      data: "{{ lookup('vars', item.value_var) }}"
+      data: "{{ lookup('vars', item.1.value_var) }}"
    status_code: [201, 204]
  register: forgejo_actions_secrets_result
  # API returns 201 for create, 204 for update. We can't check if value changed
  # (secrets are write-only), so only report changed when creating new secrets.
  changed_when: forgejo_actions_secrets_result.status == 201
-  loop: "{{ forgejo_actions_secrets_list }}"
+  loop: "{{ forgejo_actions_secrets_repos | subelements('secrets') }}"
  loop_control:
-    label: "{{ item.name }}"
+    label: "{{ item.0.repo }}/{{ item.1.name }}"
  no_log: true