Fix: Check vault encryption header instead of decrypting files

2025-12-13 23:42:06 -05:00 · 2025-12-13 23:42:06 -05:00 · 67a9b3ca2b
commit 67a9b3ca2b
parent 6d14cf9253
1 changed files with 11 additions and 4 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@ -213,15 +213,22 @@ jobs:
            echo "No vault files found"
            exit 0
          fi
+          failed=0
          for vault_file in $vault_files; do
            echo "Checking $vault_file..."
-            if ansible-vault view "$vault_file" > /dev/null 2>&1; then
-              echo "✓ $vault_file is properly encrypted"
+            # Check if file starts with ANSIBLE_VAULT header (doesn't require password)
+            if head -n 1 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
+              echo "✓ $vault_file is properly encrypted (has vault header)"
            else
-              echo "✗ ERROR: $vault_file appears to be unencrypted or invalid"
-              exit 1
+              echo "✗ ERROR: $vault_file does not have ANSIBLE_VAULT header - may be unencrypted!"
+              failed=1
            fi
          done
+          if [ $failed -eq 1 ]; then
+            echo "Some vault files are not encrypted. Please encrypt them with: ansible-vault encrypt <file>"
+            exit 1
+          fi
+          echo "All vault files are properly encrypted!"

  playbook-test:
    runs-on: ubuntu-latest