From cf106554000a0012a61e5a4b532ea383f02656b3 Mon Sep 17 00:00:00 2001
From: "Trez.One" <charish.patel@trez.wtf>
Date: Sun, 31 Aug 2025 22:29:51 -0400
Subject: [PATCH] Moving Vault unseal job from rinoa-docker to here.

---
 .gitea/workflows/vault-auto-unseal-flow.yml | 54 +++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .gitea/workflows/vault-auto-unseal-flow.yml

diff --git a/.gitea/workflows/vault-auto-unseal-flow.yml b/.gitea/workflows/vault-auto-unseal-flow.yml
new file mode 100644
index 0000000..17e5b73
--- /dev/null
+++ b/.gitea/workflows/vault-auto-unseal-flow.yml
@@ -0,0 +1,54 @@
+name: Auto-Unseal for Vault
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 5 * * *'
+
+env:
+  HC_VAULT_VERSION: '1.20.0'
+
+jobs:
+  auto-unseal:
+    name: Unseal Vault
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: ${{ secrets.VAULT_ADDR }}
+      VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
+      VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
+      VAULT_NAMESPACE: ""
+    steps:
+      - name: Vault Unseal Start
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: HC Vault @ Rinoa'
+          notification_message: 'Hashicorp Vault unsealing started... 🔐'
+
+      - name: Cache Vault install
+        id: cache-vault
+        uses: actions/cache@v4
+        with:
+          path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
+          key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
+
+      - name: Install Vault (only if not cached)
+        if: steps.cache-vault.outputs.cache-hit != 'true'
+        uses: cpanato/vault-installer@main
+        with:
+          version: ${{ env.HC_VAULT_VERSION }}
+
+      - name: Unseal Vault
+        run: |
+          for vault_shard in $VAULT_SHARDS; do
+            vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
+          done
+
+      - name: Vault Unseal Completion
+        uses: eikendev/gotify-action@master
+        with:
+          gotify_api_base: '${{ secrets.GOTIFY_URL }}'
+          gotify_app_token: '${{ secrets.RUNNER_GOTIFY_TOKEN }}'
+          notification_title: 'GITEA: HC Vault @ Rinoa'
+          notification_message: 'Hashicorp Vault unsealed! 🔓'