ci: switch deploy secrets to age key workflow

2026-02-16 00:59:52 -05:00 · 2026-02-16 00:59:52 -05:00 · 4dbd831d0b
commit 4dbd831d0b
parent d6a9af8f1e
10 changed files with 186 additions and 30 deletions
--- a/evolution/proposals/ECP-0062-ci-age-key-secrets.md
+++ b/evolution/proposals/ECP-0062-ci-age-key-secrets.md
@ -0,0 +1,42 @@
+# ECP-0062: CI Secrets via Single SSH Identity + Repo-Encrypted Age Files
+
+Status: Draft
+
+## Goal
+
+Keep CI secret handling minimal and auditable:
+
+- one Forgejo Actions secret containing an SSH private key (`AGE_FORGE_SSH_KEY`),
+- all runtime credentials stored in git as encrypted `.age` files,
+- no CI dependence on repo cloning tokens (`CODEBERG_TOKEN`) for deploy.
+
+## Non-Goals
+
+- Replacing local developer token helpers (`scripts/fj-auth-codeberg.sh`).
+- Defining protocol-level stream key distribution.
+
+## Proposal
+
+1. Deploy workflow uses `actions/checkout` with `github.token` and drops the clone fallback path.
+2. Deploy workflow requires one secret only: `AGE_FORGE_SSH_KEY`.
+3. Deploy workflow decrypts `secrets/cloudflare-api-token.age` at runtime via `age -d -i <key>`.
+4. `CLOUDFLARE_API_TOKEN` is exported into `GITHUB_ENV` only for the current job.
+5. `CODEBERG_TOKEN` is removed from deploy workflow requirements.
+
+## Rationale
+
+This matches the key.store operational model:
+
+- one root automation identity in Forgejo,
+- encrypted secrets versioned in-repo,
+- no plaintext token files in CI configuration.
+
+It reduces secret sprawl, removes accidental token coupling, and keeps deploy bootstrap deterministic.
+
+## Rollout / Reversibility
+
+- Additive migration:
+  - set `AGE_FORGE_SSH_KEY` in Forgejo,
+  - commit encrypted `secrets/cloudflare-api-token.age`,
+  - run deploy.
+- Reversible by reintroducing direct Actions secret env injection if needed.