ci: stop passing SOPS age workflow secret

[xnoto]

Summary

• stop passing SOPS_AGE_KEY to the shared OpenTofu workflow
• rely on AWS KMS via GitHub OIDC for SOPS decryption

Validation

• PCT_TFPATH=$(command -v tofu) pre-commit run --all-files

Notes

• The lowercase sops_age_key in this repo is still used for k3s/KSOPS bootstrap and is intentionally unchanged.

[github-actions]

OpenTofu Plan

OpenTofu will perform the following actions:

  # module.k3s.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: k3s
            local-hostname: k3s
        EOT
      + name           = "k3s_commoninit"
      + network_config = <<-EOT
            version: 2
            ethernets:
              enp1s0:
                dhcp4: true
              enp2s0:
                dhcp4: false
                addresses:
                  - 192.168.102.2/24
        EOT
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

  # module.runner.libvirt_cloudinit_disk.commoninit will be created
  + resource "libvirt_cloudinit_disk" "commoninit" {
      + id             = (known after apply)
      + meta_data      = <<-EOT
            instance-id: runner
            local-hostname: runner
        EOT
      + name           = "runner_commoninit"
      + network_config = (sensitive value)
      + path           = (known after apply)
      + size           = (known after apply)
      + user_data      = (sensitive value)
    }

Plan: 2 to add, 0 to change, 0 to destroy.