Guard Forgejo age secret setter
This commit is contained in:
parent
d0a2cea40e
commit
1b2f1f7258
2 changed files with 17 additions and 0 deletions
|
|
@ -10,6 +10,9 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
|
||||||
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
|
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
|
||||||
|
|
||||||
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
|
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
|
||||||
|
The legacy `AGE_FORGE_SSH_KEY` setter refuses `~/.ssh/id_ed25519` and requires
|
||||||
|
`EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY`
|
||||||
|
so a personal key is not accidentally uploaded.
|
||||||
|
|
||||||
CI and deploy workflows:
|
CI and deploy workflows:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,20 @@ host="${EVERY_CHANNEL_FORGE_HOST:-https://git.every.channel}"
|
||||||
repo="${EVERY_CHANNEL_FORGE_REPO:-every-channel/every.channel}"
|
repo="${EVERY_CHANNEL_FORGE_REPO:-every-channel/every.channel}"
|
||||||
secret_name="${EVERY_CHANNEL_FORGE_AGE_SECRET_NAME:-AGE_FORGE_SSH_KEY}"
|
secret_name="${EVERY_CHANNEL_FORGE_AGE_SECRET_NAME:-AGE_FORGE_SSH_KEY}"
|
||||||
key_path="${1:-$HOME/.config/every.channel/keys/founder_ed25519}"
|
key_path="${1:-$HOME/.config/every.channel/keys/founder_ed25519}"
|
||||||
|
confirm="${EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY:-}"
|
||||||
|
|
||||||
|
if [[ "${confirm}" != "I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY" ]]; then
|
||||||
|
echo "error: refusing to set ${secret_name} without explicit dedicated-CI-key confirmation" >&2
|
||||||
|
echo "set EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY only for a non-personal CI decrypt key" >&2
|
||||||
|
echo "preferred path: set CLOUDFLARE_API_TOKEN with scripts/fj-set-cloudflare-token-secret.sh" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${key_path}" == "$HOME/.ssh/id_ed25519" || "${key_path}" == "${HOME}/.ssh/id_ed25519" ]]; then
|
||||||
|
echo "error: refusing to upload personal key path ${key_path}" >&2
|
||||||
|
echo "use a scoped CLOUDFLARE_API_TOKEN or a dedicated CI decrypt key instead" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ ! -f "${key_path}" ]]; then
|
if [[ ! -f "${key_path}" ]]; then
|
||||||
echo "error: key file not found: ${key_path}" >&2
|
echo "error: key file not found: ${key_path}" >&2
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue