fix: seed grafana admin secret during deploy

.gitea/workflows/deploy.yml

@@ -857,6 +857,7 @@ jobs:
       - name: Reconcile observability stack
         env:
           KUBECONFIG: outputs/kubeconfig
+          GRAFANA_ADMIN_PASSWORD: ${{ secrets.GRAFANA_ADMIN_PASSWORD }}
         run: |
           set -euo pipefail
 
@@ -949,14 +950,25 @@ jobs:
           wait_for_grafana_secret() {
             local timeout_seconds="$1"
             local elapsed=0
+            local force_sync
 
             while [ "${elapsed}" -lt "${timeout_seconds}" ]; do
+              force_sync="$(date +%s)"
+              kubectl -n observability annotate externalsecret/grafana-admin external-secrets.io/force-sync="${force_sync}" --overwrite || true
+
+              if [ -n "${GRAFANA_ADMIN_PASSWORD}" ]; then
+                kubectl -n observability create secret generic grafana-admin-credentials \
+                  --from-literal=admin-user=admin \
+                  --from-literal=admin-password="${GRAFANA_ADMIN_PASSWORD}" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+              fi
+
               if kubectl -n observability get secret/grafana-admin-credentials >/dev/null 2>&1; then
                 return 0
               fi
 
               sleep 15
-              elapsed=$((elapsed + 75))
+              elapsed=$((elapsed + 15))
             done
 
             echo "Timed out waiting for Grafana admin ExternalSecret to sync" >&2