every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2

ci: switch deploy secrets to age key workflow

Browse source
This commit is contained in:
every.channel 2026-02-16 00:59:52 -05:00
parent d6a9af8f1e
commit 4dbd831d0b
No known key found for this signature in database
10 changed files with 186 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

16
secrets/README.md
View file

@ -1,13 +1,21 @@
# Secrets (agenix)
This repo supports optional local secrets management via `agenix`.
This repo supports local + CI secrets management via `agenix`/`age`.
CI should prefer Forgejo Actions secrets (e.g. `CLOUDFLARE_API_TOKEN`) rather than decrypting secrets in runners.
CI deploys use one Forgejo Actions secret:
- `AGE_FORGE_SSH_KEY`: SSH private key used to decrypt repo-tracked `.age` files.
Set/update it with:
```sh
nix develop -c ./scripts/fj-set-age-key-secret.sh ~/.config/every.channel/keys/forge_ci_ed25519
```
## Files
- `secrets/secrets.nix`: recipients + secret file mapping
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (optional)
- `secrets/cloudflare-api-token.age`: encrypted Cloudflare API token (used by deploy workflow)
- `secrets/codeberg-token.age`: encrypted Codeberg/Forgejo token for `fj` (optional)
## Create / edit secrets (local)
@ -32,4 +40,4 @@ agenix -d secrets/cloudflare-api-token.age
## Decryption identity
`agenix` decrypts using your local SSH key material. The private key must be available locally but is never committed to the repo.
`agenix`/`age` decrypts using SSH private key material. The private key must be available locally (or injected as CI secret) and is never committed to the repo.