--- - name: Sync Supabase secrets to Gitea repo variables hosts: localhost connection: local gather_facts: false tasks: - name: Read Supabase dev secrets from Vault ansible.builtin.set_fact: _supabase_dev: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=oys/dev/supabase url=' + vault_addr + ' engine_mount_point=kv') }}" no_log: true - name: Read Supabase prod secrets from Vault ansible.builtin.set_fact: _supabase_prod: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=oys/prod/supabase url=' + vault_addr + ' engine_mount_point=kv') }}" no_log: true - name: Read Gitea API token from Vault ansible.builtin.set_fact: _gitea_token: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=oys/shared/infra/gitea_token url=' + vault_addr + ' engine_mount_point=kv') }}" no_log: true - name: Construct ENV_FILE_DEV content ansible.builtin.set_fact: _env_file_dev: | SUPABASE_URL={{ _supabase_dev.url }} SUPABASE_ANON_KEY={{ _supabase_dev.anon_key }} no_log: true - name: Construct ENV_FILE_PROD content ansible.builtin.set_fact: _env_file_prod: | SUPABASE_URL={{ _supabase_prod.url }} SUPABASE_ANON_KEY={{ _supabase_prod.anon_key }} no_log: true - name: Update ENV_FILE_DEV Gitea variable ansible.builtin.uri: url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_DEV" method: PUT headers: Authorization: "token {{ _gitea_token.value }}" Content-Type: application/json body_format: json body: value: "{{ _env_file_dev }}" status_code: [201, 204] no_log: true - name: Update ENV_FILE_PROD Gitea variable ansible.builtin.uri: url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_PROD" method: PUT headers: Authorization: "token {{ _gitea_token.value }}" Content-Type: application/json body_format: json body: value: "{{ _env_file_prod }}" status_code: [201, 204] no_log: true