blumeops/argocd/manifests/forgejo-runner/external-secret.yaml

# ExternalSecret for Forgejo Runner environment
#
# Replaces the manual op inject workflow from secret.yaml.tpl
#
# 1Password item: "Forgejo Secrets" in blumeops vault
# Field: runner_reg (runner registration token)
#
# Note: Static values (FORGEJO_URL, RUNNER_NAME, RUNNER_LABELS) are included
# via template since they don't need to be in 1Password.
#
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: forgejo-runner-env
  namespace: forgejo-runner
spec:
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-blumeops
  target:
    name: forgejo-runner-env
    creationPolicy: Owner
    template:
      data:
        FORGEJO_URL: "https://forge.ops.eblu.me"
        RUNNER_NAME: "k8s-runner"
        RUNNER_LABELS: "k8s:docker://registry.ops.eblu.me/blumeops/forgejo-runner:v2.5.1"
        RUNNER_TOKEN: "{{ .runner_token }}"
  data:
  - secretKey: runner_token
    remoteRef:
      key: Forgejo Secrets
      property: runner_reg