Guard Forgejo age secret setter
This commit is contained in:
parent
d0a2cea40e
commit
1b2f1f7258
2 changed files with 17 additions and 0 deletions
|
|
@ -10,6 +10,9 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
|
|||
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
|
||||
|
||||
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
|
||||
The legacy `AGE_FORGE_SSH_KEY` setter refuses `~/.ssh/id_ed25519` and requires
|
||||
`EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY`
|
||||
so a personal key is not accidentally uploaded.
|
||||
|
||||
CI and deploy workflows:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue