From c9573390f42a936fe346be87347bb06800166e91 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 4 Feb 2026 07:31:14 -0800 Subject: [PATCH] Document Forgejo Actions secrets in reference card - Add Forgejo Actions Secrets section for repo-level CI/CD secrets - Note that secrets are also in 1Password but manually synced - Add missing build-blumeops.yaml workflow to list - Clarify distinction between server config secrets vs CI/CD secrets Co-Authored-By: Claude Opus 4.5 --- .../doc-forgejo-actions-secrets.doc.md | 1 + docs/reference/services/forgejo.md | 20 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 docs/changelog.d/doc-forgejo-actions-secrets.doc.md diff --git a/docs/changelog.d/doc-forgejo-actions-secrets.doc.md b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md new file mode 100644 index 0000000..d2e2e15 --- /dev/null +++ b/docs/changelog.d/doc-forgejo-actions-secrets.doc.md @@ -0,0 +1 @@ +Document Forgejo Actions secrets in forgejo reference card diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md index 5bef9e6..16bb5f8 100644 --- a/docs/reference/services/forgejo.md +++ b/docs/reference/services/forgejo.md @@ -37,10 +37,26 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored **Workflows:** `.forgejo/workflows/` - `build-container.yaml` - Container image builds on tag +- `build-blumeops.yaml` - Documentation builds and releases -## Secrets +## Secrets (Forgejo Config) -Managed via 1Password: `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret`, `runner_reg` +Server configuration secrets managed via 1Password → Ansible: +- `lfs-jwt-secret`, `internal-token`, `oauth2-jwt-secret` - Forgejo server tokens +- `runner_reg` - Runner registration token (also in k8s via [[external-secrets]]) + +## Forgejo Actions Secrets + +Repository-level secrets for CI/CD workflows. **Not IaC** - managed in Forgejo UI at: +`Settings → Actions → Secrets` + +| Secret | Used By | Purpose | +|--------|---------|---------| +| `ARGOCD_AUTH_TOKEN` | `build-blumeops.yaml` | Sync docs app after release | + +These secrets are injected as `${{ secrets.SECRET_NAME }}` in workflow files. + +> **Note:** These secrets are also stored in 1Password ("Forgejo Secrets" item) as the source of truth, but were manually copied to Forgejo. They will not auto-update if the 1Password value changes. ## Related -- 2.50.1 (Apple Git-155)