From 67a9b3ca2b59ed5208ce77d21ce8902fa51ba449 Mon Sep 17 00:00:00 2001
From: ilia <ilia@levkin.ca>
Date: Sat, 13 Dec 2025 23:42:06 -0500
Subject: [PATCH] Fix: Check vault encryption header instead of decrypting
 files

---
 .gitea/workflows/ci.yml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index dd5ff01..a0514d3 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -213,15 +213,22 @@ jobs:
             echo "No vault files found"
             exit 0
           fi
+          failed=0
           for vault_file in $vault_files; do
             echo "Checking $vault_file..."
-            if ansible-vault view "$vault_file" > /dev/null 2>&1; then
-              echo "✓ $vault_file is properly encrypted"
+            # Check if file starts with ANSIBLE_VAULT header (doesn't require password)
+            if head -n 1 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
+              echo "✓ $vault_file is properly encrypted (has vault header)"
             else
-              echo "✗ ERROR: $vault_file appears to be unencrypted or invalid"
-              exit 1
+              echo "✗ ERROR: $vault_file does not have ANSIBLE_VAULT header - may be unencrypted!"
+              failed=1
             fi
           done
+          if [ $failed -eq 1 ]; then
+            echo "Some vault files are not encrypted. Please encrypt them with: ansible-vault encrypt <file>"
+            exit 1
+          fi
+          echo "All vault files are properly encrypted!"
 
   playbook-test:
     runs-on: ubuntu-latest