♻️ refactor(ansible): move gitea secret user-propagation list to inventory

Follow-up to PR #3. The user list for vault_oauth__sh_b64 propagation now lives in inventory/group_vars/all/gitea.yml under gitea_secret_propagation_users instead of being hardcoded in the task. Easier to extend without touching the playbook code. Re-run the playbook (no behavioral change unless the list contents changed).

ansible/arcodange/factory/inventory/group_vars/all/gitea.yml

@@ -0,0 +1,11 @@
+---
+# Gitea ownership configuration consumed by playbooks running on `localhost`
+# (e.g. tools/hashicorp_vault.yml). Role-level defaults (gitea_username,
+# gitea_organization) live in roles/gitea_secret/defaults/main.yml ; this file
+# is for fact lists that the inventory should declare.
+
+# Users (Gitea owner_type=user) to which org-level Gitea Action secrets must
+# also be propagated. Repos owned by these users cannot read org-level secrets,
+# so the secret propagation playbook iterates over this list.
+gitea_secret_propagation_users:
+  - arcodange

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -123,7 +123,6 @@
       }) | b64encode }}
     gitea_owner_type: 'user'
     gitea_owner_name: '{{ item }}'
-  loop:
+  loop: '{{ gitea_secret_propagation_users }}'
-    - arcodange
   loop_control:
     label: '{{ item }}'