diff --git a/docs/DEPLOY_CLOUDFLARE.md b/docs/DEPLOY_CLOUDFLARE.md index 45dbef7..4d91a42 100644 --- a/docs/DEPLOY_CLOUDFLARE.md +++ b/docs/DEPLOY_CLOUDFLARE.md @@ -6,8 +6,10 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg ## Prereqs - Forgejo Actions enabled on the repo. -- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets. -- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`. +- Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token. +- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`. + +Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity. CI and deploy workflows: @@ -23,3 +25,14 @@ Mirror behavior: ```sh ./scripts/deploy-workers.sh ``` + +## Set Forgejo token secret + +With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an +SSH decrypt key in Forgejo: + +```sh +CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh +``` + +The helper also accepts a token file path or token on stdin. diff --git a/scripts/fj-set-cloudflare-token-secret.sh b/scripts/fj-set-cloudflare-token-secret.sh new file mode 100755 index 0000000..a472c80 --- /dev/null +++ b/scripts/fj-set-cloudflare-token-secret.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "${root}" + +host="${EVERY_CHANNEL_FORGE_HOST:-https://git.every.channel}" +repo="${EVERY_CHANNEL_FORGE_REPO:-every-channel/every.channel}" +secret_name="${EVERY_CHANNEL_FORGE_CLOUDFLARE_SECRET_NAME:-CLOUDFLARE_API_TOKEN}" +token_file="${1:-}" + +token="${CLOUDFLARE_API_TOKEN:-}" +if [[ -z "${token}" && -n "${token_file}" ]]; then + if [[ ! -f "${token_file}" ]]; then + echo "error: token file not found: ${token_file}" >&2 + exit 2 + fi + token="$(<"${token_file}")" +fi +if [[ -z "${token}" && ! -t 0 ]]; then + token="$(cat)" +fi +token="$(printf '%s' "${token}" | tr -d '\r\n')" + +if [[ -z "${token}" ]]; then + echo "error: provide CLOUDFLARE_API_TOKEN, a token file path, or token on stdin" >&2 + exit 2 +fi + +if ! command -v fj >/dev/null 2>&1; then + echo "error: fj not found in PATH (run: nix develop)" >&2 + exit 2 +fi + +"${root}/scripts/fj-auth-forge.sh" >/dev/null + +# Upsert by delete/create because fj currently exposes create/delete. +fj -H "${host}" actions -r "${repo}" secrets delete "${secret_name}" >/dev/null 2>&1 || true +fj -H "${host}" actions -r "${repo}" secrets create "${secret_name}" "${token}" >/dev/null + +echo "ok: set ${secret_name} on ${repo} via ${host}"