Rotate operator secrets into agenix and deepen caches

Scripts/forge-deploy.sh

@@ -5,6 +5,8 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
 # shellcheck source=Scripts/_burrow-flake.sh
 source "${SCRIPT_DIR}/_burrow-flake.sh"
+# shellcheck source=Scripts/_burrow-secrets.sh
+source "${SCRIPT_DIR}/_burrow-secrets.sh"
 
 usage() {
   cat <<'EOF'
@@ -18,7 +20,7 @@ Defaults:
 
 Environment:
   BURROW_FORGE_HOST        root@git.burrow.net
-  BURROW_FORGE_SSH_KEY     intake/agent_at_burrow_net_ed25519
+  BURROW_FORGE_SSH_KEY     explicit path, otherwise secrets/forgejo/agent-ssh-key.age
 EOF
 }
 
@@ -28,6 +30,7 @@ ALLOW_DIRTY=0
 BURROW_FLAKE_TMPDIRS=()
 
 cleanup() {
+  burrow_cleanup_secret_tmpfiles
   burrow_cleanup_flake_tmpdirs
 }
 trap cleanup EXIT
@@ -71,21 +74,17 @@ if [[ ${ALLOW_DIRTY} -ne 1 ]] && [[ -n "$(git status --short)" ]]; then
 fi
 
 FORGE_HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
-FORGE_SSH_KEY="${BURROW_FORGE_SSH_KEY:-}"
-
-if [[ -z "${FORGE_SSH_KEY}" ]]; then
-  if [[ -f "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" ]]; then
-    FORGE_SSH_KEY="${REPO_ROOT}/intake/agent_at_burrow_net_ed25519"
-  else
-    FORGE_SSH_KEY="${HOME}/.ssh/agent_at_burrow_net_ed25519"
-  fi
-fi
-
-if [[ ! -f "${FORGE_SSH_KEY}" ]]; then
-  echo "Forge SSH key not found at ${FORGE_SSH_KEY}." >&2
-  echo "Set BURROW_FORGE_SSH_KEY or place the agent key in intake/." >&2
+FORGE_SSH_KEY="$(
+  burrow_resolve_secret_file \
+    "${REPO_ROOT}" \
+    "${BURROW_FORGE_SSH_KEY:-}" \
+    "${REPO_ROOT}/intake/agent_at_burrow_net_ed25519" \
+    "${REPO_ROOT}/secrets/forgejo/agent-ssh-key.age" \
+    "${HOME}/.ssh/agent_at_burrow_net_ed25519"
+)" || {
+  echo "Unable to resolve the forge SSH key." >&2
   exit 1
-fi
+}
 
 FORGE_KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
 mkdir -p "$(dirname "${FORGE_KNOWN_HOSTS_FILE}")"