feat: add Gitea credentials and Actions runner

- Add gitea-creds ExternalSecret for ArgoCD authentication to Gitea
- Enable Gitea Actions in helm-values.yaml
- Add gitea-runner deployment for CI/CD

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/image-updater-manifests/image-updater-secret.yaml

@@ -48,3 +48,35 @@ spec:
       remoteRef:
         key: github
         property: password
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-creds
+  namespace: argocd
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-creds
+    creationPolicy: Owner
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: repo-creds
+      data:
+        type: git
+        url: https://github0213.com
+        username: "{{ .username }}"
+        password: "{{ .password }}"
+  data:
+    - secretKey: username
+      remoteRef:
+        key: gitea
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: gitea
+        property: password

gitea-runner/argocd.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea-actions-runner
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/K3S-HOME/platform.git
+    targetRevision: main
+    path: gitea-runner/manifests
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: gitea
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

gitea-runner/manifests/deployment.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: gitea
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      containers:
+      - name: runner
+        image: gitea/act_runner:latest
+        command:
+        - sh
+        - -c
+        - |
+          while ! wget -q --spider http://gitea-http.gitea.svc:3000/api/v1/version; do
+            echo "Waiting for Gitea to be ready..."
+            sleep 5
+          done
+          act_runner register --no-interactive \
+            --instance https://github0213.com \
+            --token $(cat /secrets/token) \
+            --name k3s-runner \
+            --labels k3s-home:docker://node:20-alpine,ubuntu-latest:docker://ubuntu:latest,arm64:host
+          act_runner daemon
+        env:
+        - name: GITEA_INSTANCE_URL
+          value: "https://github0213.com"
+        - name: DOCKER_HOST
+          value: "unix:///var/run/docker.sock"
+        volumeMounts:
+        - name: docker-sock
+          mountPath: /var/run/docker.sock
+        - name: runner-data
+          mountPath: /data
+        - name: runner-secret
+          mountPath: /secrets
+          readOnly: true
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            memory: 1Gi
+        securityContext:
+          privileged: true
+      volumes:
+      - name: docker-sock
+        hostPath:
+          path: /var/run/docker.sock
+          type: Socket
+      - name: runner-data
+        emptyDir: {}
+      - name: runner-secret
+        secret:
+          secretName: gitea-runner-secret
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: "true"
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      restartPolicy: Always

gitea-runner/manifests/runner-secret.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-runner-secret
+  namespace: gitea
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: gitea-runner-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: token
+      remoteRef:
+        key: gitea
+        property: runner_token

gitea/helm-values.yaml

@@ -80,6 +80,10 @@ gitea:
       MODE: console
       LEVEL: info
 
+    actions:
+      ENABLED: true
+      DEFAULT_ACTIONS_URL: github
+
 # =============================================================================
 # INGRESS
 # =============================================================================

kustomization.yaml

@@ -10,3 +10,4 @@ resources:
   - argocd/argocd.yaml
   - argocd/image-updater.yaml
   - gitea/argocd.yaml
+  - gitea-runner/argocd.yaml