Add scoped Cloudflare token secret helper
This commit is contained in:
parent
d5588360f9
commit
d0a2cea40e
2 changed files with 56 additions and 2 deletions
|
|
@ -6,8 +6,10 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
|
|||
## Prereqs
|
||||
|
||||
- Forgejo Actions enabled on the repo.
|
||||
- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets.
|
||||
- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`.
|
||||
- Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token.
|
||||
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
|
||||
|
||||
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
|
||||
|
||||
CI and deploy workflows:
|
||||
|
||||
|
|
@ -23,3 +25,14 @@ Mirror behavior:
|
|||
```sh
|
||||
./scripts/deploy-workers.sh
|
||||
```
|
||||
|
||||
## Set Forgejo token secret
|
||||
|
||||
With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an
|
||||
SSH decrypt key in Forgejo:
|
||||
|
||||
```sh
|
||||
CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh
|
||||
```
|
||||
|
||||
The helper also accepts a token file path or token on stdin.
|
||||
|
|
|
|||
41
scripts/fj-set-cloudflare-token-secret.sh
Executable file
41
scripts/fj-set-cloudflare-token-secret.sh
Executable file
|
|
@ -0,0 +1,41 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
cd "${root}"
|
||||
|
||||
host="${EVERY_CHANNEL_FORGE_HOST:-https://git.every.channel}"
|
||||
repo="${EVERY_CHANNEL_FORGE_REPO:-every-channel/every.channel}"
|
||||
secret_name="${EVERY_CHANNEL_FORGE_CLOUDFLARE_SECRET_NAME:-CLOUDFLARE_API_TOKEN}"
|
||||
token_file="${1:-}"
|
||||
|
||||
token="${CLOUDFLARE_API_TOKEN:-}"
|
||||
if [[ -z "${token}" && -n "${token_file}" ]]; then
|
||||
if [[ ! -f "${token_file}" ]]; then
|
||||
echo "error: token file not found: ${token_file}" >&2
|
||||
exit 2
|
||||
fi
|
||||
token="$(<"${token_file}")"
|
||||
fi
|
||||
if [[ -z "${token}" && ! -t 0 ]]; then
|
||||
token="$(cat)"
|
||||
fi
|
||||
token="$(printf '%s' "${token}" | tr -d '\r\n')"
|
||||
|
||||
if [[ -z "${token}" ]]; then
|
||||
echo "error: provide CLOUDFLARE_API_TOKEN, a token file path, or token on stdin" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if ! command -v fj >/dev/null 2>&1; then
|
||||
echo "error: fj not found in PATH (run: nix develop)" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
"${root}/scripts/fj-auth-forge.sh" >/dev/null
|
||||
|
||||
# Upsert by delete/create because fj currently exposes create/delete.
|
||||
fj -H "${host}" actions -r "${repo}" secrets delete "${secret_name}" >/dev/null 2>&1 || true
|
||||
fj -H "${host}" actions -r "${repo}" secrets create "${secret_name}" "${token}" >/dev/null
|
||||
|
||||
echo "ok: set ${secret_name} on ${repo} via ${host}"
|
||||
Loading…
Add table
Add a link
Reference in a new issue