.gitea/workflows/ci.yml

@@ -291,7 +291,11 @@ jobs:
         run: |
           echo "Checking for Ansible Vault files..."
           # Intentionally skip *.example files: they are plaintext templates.
-          vault_files=$(find . -name "*vault*.yml" -o -name "*vault*.yaml" | grep -v ".git" | grep -v ".example" || true)
+          # Only treat conventional vault files as "must be encrypted":
+          # - vault.yml / vault.yaml
+          # - vault_*.yml / vault_*.yaml
+          # Avoid false-positives like host_vars/vaultwardenVM.yml (host name contains "vault").
+          vault_files=$(find . \( -name "vault.yml" -o -name "vault.yaml" -o -name "vault_*.yml" -o -name "vault_*.yaml" \) | grep -v ".git" | grep -v ".example" || true)
           if [ -z "$vault_files" ]; then
             echo "No vault files found"
             exit 0
@@ -300,7 +304,8 @@ jobs:
           for vault_file in $vault_files; do
             echo "Checking $vault_file..."
             # Check if file starts with ANSIBLE_VAULT header (doesn't require password)
-            if head -n 1 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
+            # Some vault files may start with '---' (YAML document start) on line 1.
+            if head -n 5 "$vault_file" | grep -q "^\$ANSIBLE_VAULT"; then
               echo "✓ $vault_file is properly encrypted (has vault header)"
             else
               echo "✗ ERROR: $vault_file does not have ANSIBLE_VAULT header - may be unencrypted!"

inventories/production/host_vars/devGPU/vault.yml

@@ -1,2 +0,0 @@
----
-vault_devgpu_become_password: root