apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitea-ci-deploy
subjects:
  - kind: User
    name: "gitea_ci@idm.home.hrajfrisbee.cz"  # matches preferred_username claim
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: edit  # scope down as needed
  apiGroup: rbac.authorization.k8s.io