fix: pem indent

Author: hey-intent

ansible/group_vars/vps.yml

@@ -24,6 +24,7 @@ namespace: ai-bot
 # NEVER commit real values here.
 github_app_id: "CHANGE_ME"
 github_private_key_path: "/path/to/github-app.pem"
+github_private_key_local_path: "/path/to/github-app.pem"
 webhook_secret: "CHANGE_ME"
 admin_token: "CHANGE_ME"
 

ansible/playbook.yml

@@ -148,23 +148,24 @@
       register: apply_network_policies
       changed_when: "'created' in apply_network_policies.stdout or 'configured' in apply_network_policies.stdout"
 
+    - name: Copy GitHub App private key to remote
+      ansible.builtin.copy:
+        src: "{{ github_private_key_local_path }}"
+        dest: /tmp/github-app.pem
+        mode: "0600"
+
     - name: Apply github-app secret
-      ansible.builtin.command:
-        cmd: k3s kubectl apply -f -
-        stdin: |
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: github-app
-            namespace: {{ namespace }}
-          type: Opaque
-          stringData:
-            GITHUB_APP_ID: "{{ github_app_id }}"
-            GITHUB_PRIVATE_KEY: |
-              {{ lookup('ansible.builtin.file', github_private_key_path) | indent(14, false) }}
-      register: apply_secret_github_app
-      changed_when: "'created' in apply_secret_github_app.stdout or 'configured' in apply_secret_github_app.stdout"
-      # no_log: true
+      ansible.builtin.shell: |
+        k3s kubectl -n {{ namespace }} delete secret github-app --ignore-not-found
+        k3s kubectl -n {{ namespace }} create secret generic github-app \
+          --from-literal=GITHUB_APP_ID={{ github_app_id }} \
+          --from-file=GITHUB_PRIVATE_KEY=/tmp/github-app.pem
+      no_log: true
+
+    - name: Remove temporary key file
+      ansible.builtin.file:
+        path: /tmp/github-app.pem
+        state: absent
 
     - name: Apply github-webhook-secret
       ansible.builtin.command: