From ed8abc9b569a6b78437ad8f753a37a11e356dccb Mon Sep 17 00:00:00 2001
From: Jan Novak <jan.novak@livesport.eu>
Date: Sun, 1 Mar 2026 23:30:39 +0100
Subject: [PATCH] ci: remove dead OIDC steps, use repo secrets for AppRole auth

Gitea doesn't implement Actions OIDC tokens yet. Drop the experimental
id_token steps and use VAULT_ROLE_ID/VAULT_SECRET_ID/K8S_CA_CERT as
standard Gitea repo secrets.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/kubernetes-deploy.yaml | 37 ++-----------------------
 1 file changed, 2 insertions(+), 35 deletions(-)

diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
index 283e85e..fbd14c2 100644
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -11,37 +11,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Get Vault token
-        run: |
-          set -euxo pipefail
-
-          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
-            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
-          
-          TOKEN=$(echo "$IDTOKEN" | jq -r '.value')
-          
-          VAULT_TOKEN=$(curl -sS --request POST \
-            --data "{\"jwt\": \"$TOKEN\", \"role\": \"gitea-actions\"}" \
-            https://vault.hrajfrisbee.cz/v1/auth/jwt/login | jq -r '.auth.client_token')
-          
-          echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
-
-      - name: Debug - print env and OIDC info
-        run: |
-          echo "=== Environment ==="
-          env | sort
-          echo ""
-          echo "=== ID Token (decoded) ==="
-          IDTOKEN=$(curl -sS -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" \
-            "${ACTIONS_ID_TOKEN_REQUEST_URL:-}&audience=https://vault.hrajfrisbee.cz/")
-          echo "$IDTOKEN" | jq -r '.value' | cut -d. -f2 | base64 -d 2>/dev/null | jq .
-
-      - name: Read secret from Vault
-        run: |
-          SECRET=$(curl -sS -H "X-Vault-Token: $VAULT_TOKEN" \
-            https://vault.hrajfrisbee.cz//v1/secret/data/k8s_home/gitea/gitea-ci-token | jq -r '.data.data.token')
-          echo "SECRET=$SECRET" >> "$GITHUB_ENV"
-
       - name: Install kubectl
         run: |
           curl -sfLO "https://dl.k8s.io/release/$(curl -sfL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
@@ -52,10 +21,8 @@ jobs:
         run: |
           set -euxo pipefail
 
-          # Credentials come from runner host env vars (set via systemd EnvironmentFile),
-          # not from Gitea repo secrets — so they never touch Gitea's secret store.
           VAULT_AUTH_RESPONSE=$(curl -f --request POST \
-            --data "{\"role_id\":\"${VAULT_ROLE_ID}\",\"secret_id\":\"${VAULT_SECRET_ID}\"}" \
+            --data '{"role_id":"${{ secrets.VAULT_ROLE_ID }}","secret_id":"${{ secrets.VAULT_SECRET_ID }}"}' \
             https://vault.hrajfrisbee.cz/v1/auth/approle/login)
 
           echo "Vault auth response: $VAULT_AUTH_RESPONSE" >&2
@@ -94,7 +61,7 @@ jobs:
 
       - name: Configure kubectl & deploy
         run: |
-          echo "${K8S_CA_CERT}" > /tmp/ca.crt
+          echo "${{ secrets.K8S_CA_CERT }}" > /tmp/ca.crt
           
           kubectl config set-cluster mycluster \
             --server=https://192.168.0.31:6443 \