dev: add tea + agenix; optional agenix tokens

scripts/deploy-workers.sh

@@ -8,6 +8,7 @@ cd "${root}"
 # Prefer setting env vars directly in CI (`CLOUDFLARE_API_TOKEN`).
 token_file="${EVERY_CHANNEL_CF_TOKEN_FILE:-}"
 account_file="${EVERY_CHANNEL_CF_ACCOUNT_FILE:-}"
+agenix_secret="${EVERY_CHANNEL_CF_TOKEN_AGE_SECRET:-secrets/cloudflare-api-token.age}"
 
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -n "${token_file}" && -f "${token_file}" ]]; then
   export CLOUDFLARE_API_TOKEN
@@ -19,6 +20,11 @@ if [[ -z "${CLOUDFLARE_ACCOUNT_ID:-}" && -n "${account_file}" && -f "${account_f
   CLOUDFLARE_ACCOUNT_ID="$(cat "${account_file}")"
 fi
 
+if [[ -z "${CLOUDFLARE_API_TOKEN:-}" && -f "${agenix_secret}" && -x "$(command -v agenix)" ]]; then
+  export CLOUDFLARE_API_TOKEN
+  CLOUDFLARE_API_TOKEN="$(agenix -d "${agenix_secret}")"
+fi
+
 if [[ -z "${CLOUDFLARE_API_TOKEN:-}" ]]; then
   echo "error: CLOUDFLARE_API_TOKEN is not set" >&2
   exit 2

scripts/tea-login-codeberg.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "${root}"
+
+# Forgejo CLI: `tea` (Gitea-compatible)
+#
+# Auth token source order:
+# 1) CODEBERG_TOKEN env var
+# 2) `agenix -d secrets/codeberg-token.age` (optional)
+
+if [[ -z "${CODEBERG_TOKEN:-}" && -f secrets/codeberg-token.age && -x "$(command -v agenix)" ]]; then
+  export CODEBERG_TOKEN
+  CODEBERG_TOKEN="$(agenix -d secrets/codeberg-token.age)"
+fi
+
+if [[ -z "${CODEBERG_TOKEN:-}" ]]; then
+  echo "error: CODEBERG_TOKEN is not set" >&2
+  echo "hint: set CODEBERG_TOKEN or create secrets/codeberg-token.age via agenix" >&2
+  exit 2
+fi
+
+# Name the login "codeberg" and point at https://codeberg.org.
+tea login add --name codeberg --url https://codeberg.org --token "${CODEBERG_TOKEN}" --insecure=false
+echo "tea configured. Try: tea repo ls"
+