{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $name }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    app.kubernetes.io/component: token-job
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - {{ $secretName }}
    verbs:
      - get
      - update
      - patch
{{- end }}
{{- end }}