From 654c1def2ecde57735596190d4625d82150ed204 Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Wed, 6 May 2026 14:47:51 +0200
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor(ansible):=20move?=
 =?UTF-8?q?=20gitea=20secret=20user-propagation=20list=20to=20inventory?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Follow-up to PR #3. The user list for vault_oauth__sh_b64 propagation now lives in inventory/group_vars/all/gitea.yml under gitea_secret_propagation_users instead of being hardcoded in the task. Easier to extend without touching the playbook code. Re-run the playbook (no behavioral change unless the list contents changed).
---
 .../factory/inventory/group_vars/all/gitea.yml        | 11 +++++++++++
 .../roles/hashicorp_vault/tasks/gitea_oidc_auth.yml   |  3 +--
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 ansible/arcodange/factory/inventory/group_vars/all/gitea.yml

diff --git a/ansible/arcodange/factory/inventory/group_vars/all/gitea.yml b/ansible/arcodange/factory/inventory/group_vars/all/gitea.yml
new file mode 100644
index 0000000..837e292
--- /dev/null
+++ b/ansible/arcodange/factory/inventory/group_vars/all/gitea.yml
@@ -0,0 +1,11 @@
+---
+# Gitea ownership configuration consumed by playbooks running on `localhost`
+# (e.g. tools/hashicorp_vault.yml). Role-level defaults (gitea_username,
+# gitea_organization) live in roles/gitea_secret/defaults/main.yml ; this file
+# is for fact lists that the inventory should declare.
+
+# Users (Gitea owner_type=user) to which org-level Gitea Action secrets must
+# also be propagated. Repos owned by these users cannot read org-level secrets,
+# so the secret propagation playbook iterates over this list.
+gitea_secret_propagation_users:
+  - arcodange
diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
index 4d82e17..de80900 100644
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -123,7 +123,6 @@
       }) | b64encode }}
     gitea_owner_type: 'user'
     gitea_owner_name: '{{ item }}'
-  loop:
-    - arcodange
+  loop: '{{ gitea_secret_propagation_users }}'
   loop_control:
     label: '{{ item }}'
\ No newline at end of file