From cd25dae8f9dc88af12f60d9950233e3e04e551f1 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 12 Feb 2026 11:15:28 -0800
Subject: [PATCH] Extend forgejo_actions_secrets role to support multiple repos

Uses subelements loop to sync secrets across repos. Adds FORGE_TOKEN
to the cv repo for package uploads.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../forgejo_actions_secrets/defaults/main.yml | 21 ++++++++++++-------
 .../forgejo_actions_secrets/tasks/main.yml    |  8 +++----
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/ansible/roles/forgejo_actions_secrets/defaults/main.yml b/ansible/roles/forgejo_actions_secrets/defaults/main.yml
index d46a968..3aebfc8 100644
--- a/ansible/roles/forgejo_actions_secrets/defaults/main.yml
+++ b/ansible/roles/forgejo_actions_secrets/defaults/main.yml
@@ -6,12 +6,17 @@
 
 forgejo_actions_secrets_api_url: "https://forge.ops.eblu.me/api/v1"
 forgejo_actions_secrets_owner: eblume
-forgejo_actions_secrets_repo: blumeops
 
-# Secrets to sync: list of {name: "SECRET_NAME", value_var: "ansible_fact_name"}
-# The value_var references an Ansible fact set in playbook pre_tasks
-forgejo_actions_secrets_list:
-  - name: ARGOCD_AUTH_TOKEN
-    value_var: forgejo_secret_argocd_token
-  - name: FLY_DEPLOY_TOKEN
-    value_var: forgejo_secret_fly_deploy_token
+# Secrets to sync per repo.
+# Each entry: {repo: "name", secrets: [{name: "SECRET_NAME", value_var: "ansible_fact_name"}]}
+forgejo_actions_secrets_repos:
+  - repo: blumeops
+    secrets:
+      - name: ARGOCD_AUTH_TOKEN
+        value_var: forgejo_secret_argocd_token
+      - name: FLY_DEPLOY_TOKEN
+        value_var: forgejo_secret_fly_deploy_token
+  - repo: cv
+    secrets:
+      - name: FORGE_TOKEN
+        value_var: forgejo_api_token
diff --git a/ansible/roles/forgejo_actions_secrets/tasks/main.yml b/ansible/roles/forgejo_actions_secrets/tasks/main.yml
index 95b2e13..4508dc9 100644
--- a/ansible/roles/forgejo_actions_secrets/tasks/main.yml
+++ b/ansible/roles/forgejo_actions_secrets/tasks/main.yml
@@ -13,20 +13,20 @@
 
 - name: Sync Actions secrets to Forgejo
   ansible.builtin.uri:
-    url: "{{ forgejo_actions_secrets_api_url }}/repos/{{ forgejo_actions_secrets_owner }}/{{ forgejo_actions_secrets_repo }}/actions/secrets/{{ item.name }}"
+    url: "{{ forgejo_actions_secrets_api_url }}/repos/{{ forgejo_actions_secrets_owner }}/{{ item.0.repo }}/actions/secrets/{{ item.1.name }}"
     method: PUT
     headers:
       Authorization: "token {{ forgejo_api_token }}"
       Content-Type: "application/json"
     body_format: json
     body:
-      data: "{{ lookup('vars', item.value_var) }}"
+      data: "{{ lookup('vars', item.1.value_var) }}"
     status_code: [201, 204]
   register: forgejo_actions_secrets_result
   # API returns 201 for create, 204 for update. We can't check if value changed
   # (secrets are write-only), so only report changed when creating new secrets.
   changed_when: forgejo_actions_secrets_result.status == 201
-  loop: "{{ forgejo_actions_secrets_list }}"
+  loop: "{{ forgejo_actions_secrets_repos | subelements('secrets') }}"
   loop_control:
-    label: "{{ item.name }}"
+    label: "{{ item.0.repo }}/{{ item.1.name }}"
   no_log: true