From 1cca7c92674aba17a230c4e54bea3797c302941c Mon Sep 17 00:00:00 2001 From: Patrick de Ruiter Date: Wed, 19 Nov 2025 13:32:59 +0100 Subject: [PATCH] fix: Remove unused TF_VAR_renovate_* variables from pipeline The renovate_endpoint and renovate_token values are retrieved from Vault (secret/renovate) via data sources in the Terraform code, not passed as Terraform variables. Changes: - Commented out TF_VAR_renovate_endpoint in all pipeline stages - Commented out TF_VAR_renovate_token in all pipeline stages - These values are properly sourced from Vault data sources This fixes the container restart issue where Renovate couldn't find the Gitea personal access token because the environment variable wasn't being set correctly from Vault data. Affected stages: - terraform-validate (init and validate steps) - terraform-plan (init and plan steps) - terraform-apply (init and apply steps) - terraform-destroy (init, plan, and execute steps) --- .gitea/workflows/pipeline.yaml | 36 +++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.gitea/workflows/pipeline.yaml b/.gitea/workflows/pipeline.yaml index 8fa9140..32db42e 100644 --- a/.gitea/workflows/pipeline.yaml +++ b/.gitea/workflows/pipeline.yaml @@ -83,8 +83,8 @@ jobs: env: TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" - TF_VAR_renovate_token: "dummy-token-for-validation" + #TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" + #TF_VAR_renovate_token: "dummy-token-for-validation" VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: terraform init -backend=false @@ -92,8 +92,8 @@ jobs: env: TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" - TF_VAR_renovate_token: "dummy-token-for-validation" + #TF_VAR_renovate_endpoint: "https://gitea.example.com/api/v1/" + #TF_VAR_renovate_token: "dummy-token-for-validation" VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: terraform validate @@ -154,8 +154,8 @@ jobs: TF_BACKEND_REGION: "main" TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform init -input=false \ @@ -175,8 +175,8 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform plan -input=false -out=tfplan @@ -254,8 +254,8 @@ jobs: TF_BACKEND_REGION: "main" TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | terraform init \ @@ -287,8 +287,8 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: terraform apply -input=false -auto-approve tfplan @@ -350,8 +350,8 @@ jobs: TF_BACKEND_REGION: "main" TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | echo "Performing fresh terraform init (no cache for safety)..." @@ -372,8 +372,8 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | echo "Generating destroy plan..." @@ -387,8 +387,8 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.MINIO_SECRET_KEY }} TF_VAR_role_id: ${{ secrets.VAULT_ROLE_ID }} TF_VAR_secret_id: ${{ secrets.VAULT_SECRET_ID }} - TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} - TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} + #TF_VAR_renovate_endpoint: ${{ secrets.RENOVATE_ENDPOINT }} + #TF_VAR_renovate_token: ${{ secrets.RENOVATE_TOKEN }} VAULT_ADDR: ${{ secrets.VAULT_ADDR }} run: | echo "🔥 DESTROYING INFRASTRUCTURE..."