ci: use runner host env vars for Vault AppRole credentials

Switch VAULT_ROLE_ID, VAULT_SECRET_ID, and K8S_CA_CERT from Gitea repo
secrets to shell env vars, which are injected via the runner host's
systemd EnvironmentFile — keeping credentials off Gitea entirely.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/kubernetes-deploy.yaml

@@ -13,6 +13,8 @@ jobs:
 
       - name: Get Vault token
         run: |
+          set -euxo pipefail
+          
           IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
             "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://vault.hrajfrisbee.cz/")
           
@@ -50,9 +52,10 @@ jobs:
         run: |
           set -euxo pipefail
 
-          # Authenticate to Vault (AppRole — no CLI needed)
+          # Credentials come from runner host env vars (set via systemd EnvironmentFile),
+          # not from Gitea repo secrets — so they never touch Gitea's secret store.
           VAULT_AUTH_RESPONSE=$(curl -f --request POST \
-            --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
+            --data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
             https://vault.hrajfrisbee.cz/v1/auth/approle/login)
 
           echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
@@ -91,7 +94,7 @@ jobs:
 
       - name: Configure kubectl & deploy
         run: |
-          echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
+          echo "${K8S_CA_CERT}" > /tmp/ca.crt
           
           kubectl config set-cluster mycluster \
             --server=https://192.168.0.31:6443 \