From a4d77be4a3b301f71245b5dd2231a54bf0df7468 Mon Sep 17 00:00:00 2001
From: rlabadmin <robin.labie@live.be>
Date: Thu, 23 Apr 2026 15:14:48 +0200
Subject: [PATCH] Use instance-level vars for non-sensitive deploy config

- DEPLOY_HOST / DEPLOY_USER / REGISTRY_USER now read from vars.*,
  set once at /admin/actions/variables and inherited by all repos
- DEPLOY_SSH_KEY / REGISTRY_PASSWORD stay as secrets.*

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/flow.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/flow.yml b/.gitea/workflows/flow.yml
index bc28697..11c1587 100644
--- a/.gitea/workflows/flow.yml
+++ b/.gitea/workflows/flow.yml
@@ -44,7 +44,7 @@ jobs:
         run: |
           echo "${{ secrets.REGISTRY_PASSWORD }}" | \
             docker login ${{ env.REGISTRY }} \
-              --username "${{ secrets.REGISTRY_USER }}" \
+              --username "${{ vars.REGISTRY_USER }}" \
               --password-stdin
 
       - name: Build image
@@ -71,12 +71,12 @@ jobs:
           mkdir -p ~/.ssh
           echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key
           chmod 600 ~/.ssh/deploy_key
-          ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
+          ssh-keyscan -H ${{ vars.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
 
       - name: Rolling deploy on Swarm
         run: |
           ssh -i ~/.ssh/deploy_key \
-            ${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }} \
+            ${{ vars.DEPLOY_USER }}@${{ vars.DEPLOY_HOST }} \
             "docker service update \
               --image ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ needs.build.outputs.image_tag }} \
               --with-registry-auth \