From 5e4848c4e2752ac17c9ce94bcda5e8202e936fd1 Mon Sep 17 00:00:00 2001
From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com>
Date: Mon, 9 Feb 2026 20:52:29 -0600
Subject: [PATCH] feat: add Auth0 OCR secrets to injection script and CI/CD
 workflows (refs #127)

- Add AUTH0_OCR_CLIENT_ID and AUTH0_OCR_CLIENT_SECRET to inject-secrets.sh
- Add new secrets to staging and production workflow env blocks
- Create .example files for new secret documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/production.yaml                | 2 ++
 .gitea/workflows/staging.yaml                   | 2 ++
 scripts/inject-secrets.sh                       | 6 ++++++
 secrets/app/auth0-ocr-client-id.txt.example     | 1 +
 secrets/app/auth0-ocr-client-secret.txt.example | 1 +
 5 files changed, 12 insertions(+)
 create mode 100644 secrets/app/auth0-ocr-client-id.txt.example
 create mode 100644 secrets/app/auth0-ocr-client-secret.txt.example

diff --git a/.gitea/workflows/production.yaml b/.gitea/workflows/production.yaml
index 4686fb4..7258700 100644
--- a/.gitea/workflows/production.yaml
+++ b/.gitea/workflows/production.yaml
@@ -129,6 +129,8 @@ jobs:
           AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}
           AUTH0_MANAGEMENT_CLIENT_ID: ${{ secrets.AUTH0_MANAGEMENT_CLIENT_ID }}
           AUTH0_MANAGEMENT_CLIENT_SECRET: ${{ secrets.AUTH0_MANAGEMENT_CLIENT_SECRET }}
+          AUTH0_OCR_CLIENT_ID: ${{ secrets.AUTH0_OCR_CLIENT_ID }}
+          AUTH0_OCR_CLIENT_SECRET: ${{ secrets.AUTH0_OCR_CLIENT_SECRET }}
           GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
           GOOGLE_MAPS_MAP_ID: ${{ secrets.GOOGLE_MAPS_MAP_ID }}
           CF_DNS_API_TOKEN: ${{ secrets.CF_DNS_API_TOKEN }}
diff --git a/.gitea/workflows/staging.yaml b/.gitea/workflows/staging.yaml
index c403203..1d4644b 100644
--- a/.gitea/workflows/staging.yaml
+++ b/.gitea/workflows/staging.yaml
@@ -139,6 +139,8 @@ jobs:
           AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}
           AUTH0_MANAGEMENT_CLIENT_ID: ${{ secrets.AUTH0_MANAGEMENT_CLIENT_ID }}
           AUTH0_MANAGEMENT_CLIENT_SECRET: ${{ secrets.AUTH0_MANAGEMENT_CLIENT_SECRET }}
+          AUTH0_OCR_CLIENT_ID: ${{ secrets.AUTH0_OCR_CLIENT_ID }}
+          AUTH0_OCR_CLIENT_SECRET: ${{ secrets.AUTH0_OCR_CLIENT_SECRET }}
           GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
           GOOGLE_MAPS_MAP_ID: ${{ secrets.GOOGLE_MAPS_MAP_ID }}
           CF_DNS_API_TOKEN: ${{ secrets.CF_DNS_API_TOKEN }}
diff --git a/scripts/inject-secrets.sh b/scripts/inject-secrets.sh
index 9081b4b..c9d7b7a 100755
--- a/scripts/inject-secrets.sh
+++ b/scripts/inject-secrets.sh
@@ -11,6 +11,8 @@
 #   - AUTH0_CLIENT_SECRET
 #   - AUTH0_MANAGEMENT_CLIENT_ID
 #   - AUTH0_MANAGEMENT_CLIENT_SECRET
+#   - AUTH0_OCR_CLIENT_ID
+#   - AUTH0_OCR_CLIENT_SECRET
 #   - GOOGLE_MAPS_API_KEY
 #   - GOOGLE_MAPS_MAP_ID
 #   - CF_DNS_API_TOKEN
@@ -30,6 +32,8 @@ SECRET_FILES=(
     "auth0-client-secret.txt"
     "auth0-management-client-id.txt"
     "auth0-management-client-secret.txt"
+    "auth0-ocr-client-id.txt"
+    "auth0-ocr-client-secret.txt"
     "google-maps-api-key.txt"
     "google-maps-map-id.txt"
     "cloudflare-dns-token.txt"
@@ -99,6 +103,8 @@ inject_secret "POSTGRES_PASSWORD" "postgres-password.txt" || FAILED=1
 inject_secret "AUTH0_CLIENT_SECRET" "auth0-client-secret.txt" || FAILED=1
 inject_secret "AUTH0_MANAGEMENT_CLIENT_ID" "auth0-management-client-id.txt" || FAILED=1
 inject_secret "AUTH0_MANAGEMENT_CLIENT_SECRET" "auth0-management-client-secret.txt" || FAILED=1
+inject_secret "AUTH0_OCR_CLIENT_ID" "auth0-ocr-client-id.txt" || FAILED=1
+inject_secret "AUTH0_OCR_CLIENT_SECRET" "auth0-ocr-client-secret.txt" || FAILED=1
 inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
 inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1
 inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1
diff --git a/secrets/app/auth0-ocr-client-id.txt.example b/secrets/app/auth0-ocr-client-id.txt.example
new file mode 100644
index 0000000..8b15d07
--- /dev/null
+++ b/secrets/app/auth0-ocr-client-id.txt.example
@@ -0,0 +1 @@
+your-auth0-m2m-client-id
\ No newline at end of file
diff --git a/secrets/app/auth0-ocr-client-secret.txt.example b/secrets/app/auth0-ocr-client-secret.txt.example
new file mode 100644
index 0000000..0bb3bbd
--- /dev/null
+++ b/secrets/app/auth0-ocr-client-secret.txt.example
@@ -0,0 +1 @@
+your-auth0-m2m-client-secret
\ No newline at end of file