Disable External Secrets, create GHCR secret from CD workflow instead

The External Secrets CRDs may not be installed in the workshops
namespace. Since we only need a GHCR pull secret, create it directly
via kubectl in the deploy step using GITHUB_TOKEN.

Also use vars.AWS_DEPLOY_ROLE_ARN like people-cvs does.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: darrillaga

.github/workflows/cd.yml

@@ -10,57 +10,70 @@ permissions:
   packages: write
 
 env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: crunchloop/workshops
   AWS_REGION: sa-east-1
   EKS_CLUSTER: k8-dev
   NAMESPACE: workshops
-  IMAGE_NAME: ghcr.io/crunchloop/workshops
+  DEPLOY_ROLE_ARN: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
 
 jobs:
   docker-publish:
     runs-on: ubuntu-latest
     outputs:
-      image-tag: ${{ steps.meta.outputs.version }}
+      image-tag: ${{ steps.sha.outputs.short }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
+      - name: Get short SHA
+        id: sha
+        run: echo "short=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/login-action@v3
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker meta
-        id: meta
+      - id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=sha,prefix=
-            type=raw,value=latest
+            type=raw,value=latest,enable={{is_default_branch}}
 
-      - name: Build and push
-        uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
   deploy:
-    runs-on: ubuntu-latest
     needs: docker-publish
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::176434290504:role/workshops-github-deploy
-          role-session-name: workshops-github-deploy
+          role-to-assume: ${{ env.DEPLOY_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Configure kubeconfig
-        run: aws eks update-kubeconfig --name ${{ env.EKS_CLUSTER }} --region ${{ env.AWS_REGION }}
+      - run: aws eks update-kubeconfig --name ${{ env.EKS_CLUSTER }} --region ${{ env.AWS_REGION }}
+
+      - uses: azure/setup-helm@v4
+
+      - name: Create GHCR pull secret
+        run: |
+          kubectl create namespace ${{ env.NAMESPACE }} --dry-run=client -o yaml | kubectl apply -f -
+          kubectl create secret docker-registry ghcr-secret \
+            --namespace ${{ env.NAMESPACE }} \
+            --docker-server=ghcr.io \
+            --docker-username=${{ github.actor }} \
+            --docker-password=${{ secrets.GITHUB_TOKEN }} \
+            --dry-run=client -o yaml | kubectl apply -f -
 
       - name: Deploy with Helm
         run: |

infra/k8/apps/values/workshops.yaml

@@ -30,3 +30,6 @@ serviceAccount:
   create: true
   name: workshops
   annotations: {}
+
+externalSecret:
+  enabled: false