ci: switch deploy secrets to age key workflow

.forgejo/workflows/deploy-cloudflare.yml

@@ -11,25 +11,76 @@ concurrency:
 
 jobs:
   deploy:
-    # Use Codeberg global hosted runners by label.
-    # Available labels in this repo are: codeberg-tiny, codeberg-small, codeberg-medium.
     runs-on: codeberg-medium
     steps:
-      - name: Deploy website + worker
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CODEBERG_TOKEN: ${{ secrets.CODEBERG_TOKEN }}
+      - name: Checkout
+        uses: https://code.forgejo.org/actions/checkout@v4
+        with:
+          token: ${{ github.token }}
+          fetch-depth: 0
+          lfs: false
+
+      - name: Bootstrap runner deps
+        shell: bash
         run: |
           set -euo pipefail
-          if [[ ! -f "./scripts/deploy-workers.sh" ]]; then
-            if [[ -z "${CODEBERG_TOKEN:-}" ]]; then
-              echo "error: workspace missing repo files and CODEBERG_TOKEN is not set"
+          as_root() {
+            if [[ "$(id -u)" = "0" ]]; then
+              "$@"
+            elif command -v sudo >/dev/null 2>&1; then
+              sudo "$@"
+            else
+              echo "error: need root or sudo to install runner dependencies"
               exit 2
             fi
-            git clone "https://every-channel:${CODEBERG_TOKEN}@codeberg.org/every-channel/every.channel.git" .repo
-            cd .repo
+          }
+          if command -v apt-get >/dev/null 2>&1; then
+            as_root apt-get update
+            as_root apt-get install -y curl ca-certificates nodejs npm age
+          elif command -v apk >/dev/null 2>&1; then
+            as_root apk add --no-cache curl ca-certificates nodejs npm age
           fi
 
+      - name: Configure CI Age identity
+        env:
+          AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
+            echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
+            exit 2
+          fi
+          install -d -m 700 "$HOME/.ssh"
+          if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
+            printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519"
+          else
+            printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519"
+          fi
+          chmod 600 "$HOME/.ssh/age_forge_ed25519"
+
+      - name: Decrypt CI secrets from repo
+        shell: bash
+        run: |
+          set -euo pipefail
+          key_file="$HOME/.ssh/age_forge_ed25519"
+          secret_file="secrets/cloudflare-api-token.age"
+          if [[ ! -f "$secret_file" ]]; then
+            echo "error: missing ${secret_file}"
+            exit 2
+          fi
+          CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
+          if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
+            echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
+            exit 2
+          fi
+          echo "::add-mask::${CLOUDFLARE_API_TOKEN}"
+          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV"
+
+      - name: Build site (Dioxus web)
+        shell: bash
+        run: |
+          set -euo pipefail
           if ! command -v cargo >/dev/null 2>&1; then
             curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
             . "$HOME/.cargo/env"
@@ -41,14 +92,13 @@ jobs:
             cargo install trunk --locked
           fi
 
-          if ! command -v npm >/dev/null 2>&1; then
-            echo "error: npm is not available on this runner"
-            exit 2
-          fi
-
           cd apps/tauri/ui
           trunk build --release --public-url /
 
+      - name: Deploy worker
+        shell: bash
+        run: |
+          set -euo pipefail
           cd ../../../deploy/cloudflare-worker
           npm ci
           npx wrangler deploy