ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -105,4 +105,25 @@
         'OIDC_CLIENT_ID': gitea_app.id,
         'OIDC_CLIENT_SECRET': gitea_app.secret,
       }) | b64encode }}
-    gitea_owner_type: 'org' # value != 'user'
+    gitea_owner_type: 'org' # value != 'user'
+
+# Also propagate the same secret to user-owned namespaces. Gitea Action secrets
+# are scoped per owner, so repos under a user account cannot read org-level
+# secrets. Extend this list if other personal-namespace apps need vault auth.
+- name: Propagate vault_oauth__sh_b64 to user-owned namespaces
+  include_role:
+    name: arcodange.factory.gitea_secret
+  vars:
+    gitea_secret_name: vault_oauth__sh_b64
+    gitea_secret_value: >-
+      {{ lookup('ansible.builtin.template', 'oidc_jwt_token.sh.j2', template_vars = {
+        'GITEA_BASE_URL': 'https://gitea.arcodange.lab',
+        'OIDC_CLIENT_ID': gitea_app.id,
+        'OIDC_CLIENT_SECRET': gitea_app.secret,
+      }) | b64encode }}
+    gitea_owner_type: 'user'
+    gitea_owner_name: '{{ item }}'
+  loop:
+    - arcodange
+  loop_control:
+    label: '{{ item }}'