From c2514984bb5fe08a9c4c04548d00eec66f07e6c4 Mon Sep 17 00:00:00 2001
From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com>
Date: Tue, 30 Dec 2025 08:39:02 -0600
Subject: [PATCH] fix: Path for secrets injection

---
 .gitea/workflows/staging.yaml                   |  2 +-
 scripts/ci/ansible/deploy-production-runner.yml | 10 ++++++++++
 scripts/ci/ansible/deploy-staging-runner.yml    | 10 ++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/staging.yaml b/.gitea/workflows/staging.yaml
index de8d391..78fa0c6 100644
--- a/.gitea/workflows/staging.yaml
+++ b/.gitea/workflows/staging.yaml
@@ -100,7 +100,7 @@ jobs:
         run: |
           cd "$DEPLOY_PATH"
           chmod +x scripts/inject-secrets.sh
-          SECRETS_DIR="$DEPLOY_PATH/secrets/staging" ./scripts/inject-secrets.sh
+          SECRETS_DIR="$DEPLOY_PATH/secrets/app" ./scripts/inject-secrets.sh
         env:
           POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
           AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}
diff --git a/scripts/ci/ansible/deploy-production-runner.yml b/scripts/ci/ansible/deploy-production-runner.yml
index 77125e3..1a63791 100644
--- a/scripts/ci/ansible/deploy-production-runner.yml
+++ b/scripts/ci/ansible/deploy-production-runner.yml
@@ -133,6 +133,16 @@
         groups: docker
         append: true
 
+    - name: Configure passwordless sudo for act_runner
+      copy:
+        dest: /etc/sudoers.d/act_runner
+        content: |
+          # Allow act_runner to run commands without password for CI/CD operations
+          # This is required because Gitea Actions runners don't have a TTY
+          act_runner ALL=(ALL) NOPASSWD: ALL
+        mode: '0440'
+        validate: 'visudo -cf %s'
+
     - name: Create act_runner config directory
       file:
         path: /etc/act_runner
diff --git a/scripts/ci/ansible/deploy-staging-runner.yml b/scripts/ci/ansible/deploy-staging-runner.yml
index 265b63a..8b657b3 100644
--- a/scripts/ci/ansible/deploy-staging-runner.yml
+++ b/scripts/ci/ansible/deploy-staging-runner.yml
@@ -163,6 +163,16 @@
         groups: docker
         append: true
 
+    - name: Configure passwordless sudo for act_runner
+      copy:
+        dest: /etc/sudoers.d/act_runner
+        content: |
+          # Allow act_runner to run commands without password for CI/CD operations
+          # This is required because Gitea Actions runners don't have a TTY
+          act_runner ALL=(ALL) NOPASSWD: ALL
+        mode: '0440'
+        validate: 'visudo -cf %s'
+
     - name: Create act_runner config directory
       file:
         path: /etc/act_runner