Use GitHub secret for Ansible vault password

.github/workflows/pipeline.yml

@@ -125,18 +125,6 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install "ansible-core==2.18.3"
 
-      - name: Prepare Ansible vault password
-        env:
-          INTERNAL_SERVICE_TOKEN: ${{ env.INTERNAL_SERVICE_TOKEN }}
-        run: |
-          if [[ -z "${INTERNAL_SERVICE_TOKEN}" ]]; then
-            echo "INTERNAL_SERVICE_TOKEN is required for Ansible vault access" >&2
-            exit 1
-          fi
-
-          printf '%s' "${INTERNAL_SERVICE_TOKEN}" > "${HOME}/.vault_password"
-          chmod 600 "${HOME}/.vault_password"
-
       - name: Resolve deployment settings
         id: deploy_meta
         run: |
@@ -164,6 +152,8 @@ jobs:
 
       - name: Run Ansible deploy playbook
         working-directory: xworkmate-bridge
+        env:
+          INTERNAL_SERVICE_TOKEN: ${{ env.INTERNAL_SERVICE_TOKEN }}
         run: bash ./scripts/github-actions/deploy.sh "${{ steps.deploy_meta.outputs.target_host }}" "${{ steps.deploy_meta.outputs.run_apply }}" ../playbooks
 
   validate:

scripts/github-actions/deploy.sh

@@ -4,6 +4,7 @@ set -euo pipefail
 TARGET_HOST="${1:?target host is required}"
 RUN_APPLY="${2:?run_apply flag is required}"
 PLAYBOOK_DIR="${3:-playbooks}"
+INTERNAL_SERVICE_TOKEN="${INTERNAL_SERVICE_TOKEN:-}"
 
 cd "${PLAYBOOK_DIR}"
 
@@ -14,6 +15,10 @@ args=(
   -l "${TARGET_HOST}"
 )
 
+if [[ -n "${INTERNAL_SERVICE_TOKEN}" ]]; then
+  args+=(--vault-password-file <(printf '%s' "${INTERNAL_SERVICE_TOKEN}"))
+fi
+
 if [[ "${RUN_APPLY}" != "true" ]]; then
   args+=(-C)
 fi