fix: Path for secrets injection

.gitea/workflows/staging.yaml

@@ -100,7 +100,7 @@ jobs:
         run: |
           cd "$DEPLOY_PATH"
           chmod +x scripts/inject-secrets.sh
-          SECRETS_DIR="$DEPLOY_PATH/secrets/staging" ./scripts/inject-secrets.sh
+          SECRETS_DIR="$DEPLOY_PATH/secrets/app" ./scripts/inject-secrets.sh
         env:
           POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
           AUTH0_CLIENT_SECRET: ${{ secrets.AUTH0_CLIENT_SECRET }}

scripts/ci/ansible/deploy-production-runner.yml

@@ -133,6 +133,16 @@
         groups: docker
         append: true
 
+    - name: Configure passwordless sudo for act_runner
+      copy:
+        dest: /etc/sudoers.d/act_runner
+        content: |
+          # Allow act_runner to run commands without password for CI/CD operations
+          # This is required because Gitea Actions runners don't have a TTY
+          act_runner ALL=(ALL) NOPASSWD: ALL
+        mode: '0440'
+        validate: 'visudo -cf %s'
+
     - name: Create act_runner config directory
       file:
         path: /etc/act_runner

scripts/ci/ansible/deploy-staging-runner.yml

@@ -163,6 +163,16 @@
         groups: docker
         append: true
 
+    - name: Configure passwordless sudo for act_runner
+      copy:
+        dest: /etc/sudoers.d/act_runner
+        content: |
+          # Allow act_runner to run commands without password for CI/CD operations
+          # This is required because Gitea Actions runners don't have a TTY
+          act_runner ALL=(ALL) NOPASSWD: ALL
+        mode: '0440'
+        validate: 'visudo -cf %s'
+
     - name: Create act_runner config directory
       file:
         path: /etc/act_runner