♻️ refactor(ansible): move gitea secret user-propagation list to inventory

Follow-up to PR #3. The user list for vault_oauth__sh_b64 propagation now lives in inventory/group_vars/all/gitea.yml under gitea_secret_propagation_users instead of being hardcoded in the task. Easier to extend without touching the playbook code. Re-run the playbook (no behavioral change unless the list contents changed).

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -36,11 +36,6 @@
 
 
 
-# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles
-# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF
-# to preserve those roles across normal ansible runs ; opt-in only when you
-# really want to rebuild the OIDC backend from scratch (e.g. config drift on
-# bound_issuer or similar).
 - name: Delete existing Gitea OIDC backends if they exist
   include_tasks: vault_cmd.yml
   vars:
@@ -53,7 +48,6 @@
     - gitea_jwt
   loop_control:
     loop_var: backend_name
-  when: vault_oidc_force_reset | default(false) | bool
 
 - name: use tofu to provision vault
   block: