chore(infra): codify telegram command sync access

infra/terraform/README.md

@@ -61,6 +61,9 @@ echo -n "<value>" | gcloud secrets versions add scheduler-shared-secret --data-f
 If you configure optional secret IDs such as `database_url_secret_id` or
 `openai_api_key_secret_id`, add versions for those secrets as well.
 
+If GitHub OIDC deploy access is enabled, keep `telegram_bot_token_secret_id` aligned with the
+real bot token secret name so CD can read it and sync Telegram commands automatically.
+
 ## Environments
 
 Recommended approach:

infra/terraform/main.tf

@@ -64,6 +64,15 @@ resource "google_secret_manager_secret_iam_member" "bot_runtime_access" {
   member    = "serviceAccount:${google_service_account.bot_runtime.email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "github_deployer_bot_token_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = var.telegram_bot_token_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
 module "bot_api_service" {
   source = "./modules/cloud_run_service"
 

infra/terraform/terraform.tfvars.example

@@ -9,6 +9,7 @@ bot_api_image   = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/bot:
 mini_app_image  = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/miniapp:latest"
 
 database_url_secret_id   = "database-url"
+telegram_bot_token_secret_id = "telegram-bot-token"
 openai_api_key_secret_id = "openai-api-key"
 # supabase_url_secret_id             = "supabase-url"
 # supabase_publishable_key_secret_id = "supabase-publishable-key"