Guard Forgejo age secret setter
Some checks failed
deploy-cloudflare / checks (push) Successful in 1m46s
deploy-cloudflare/breadcrumb bootstrap ok
deploy-cloudflare / deploy (push) Failing after 24s
ci-gates / checks (push) Successful in 6m22s

This commit is contained in:
Conrad Kramer 2026-06-10 04:33:44 -07:00
parent d0a2cea40e
commit 1b2f1f7258
2 changed files with 17 additions and 0 deletions

View file

@ -10,6 +10,9 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
The legacy `AGE_FORGE_SSH_KEY` setter refuses `~/.ssh/id_ed25519` and requires
`EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY`
so a personal key is not accidentally uploaded.
CI and deploy workflows: