Add scoped Cloudflare token secret helper
Some checks failed
deploy-cloudflare / checks (push) Successful in 1m46s
deploy-cloudflare/breadcrumb bootstrap ok
deploy-cloudflare / deploy (push) Failing after 24s
ci-gates / checks (push) Has been cancelled

This commit is contained in:
Conrad Kramer 2026-06-10 04:29:33 -07:00
parent d5588360f9
commit d0a2cea40e
No known key found for this signature in database
2 changed files with 56 additions and 2 deletions

View file

@ -6,8 +6,10 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
## Prereqs
- Forgejo Actions enabled on the repo.
- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets.
- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`.
- Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token.
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
CI and deploy workflows:
@ -23,3 +25,14 @@ Mirror behavior:
```sh
./scripts/deploy-workers.sh
```
## Set Forgejo token secret
With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an
SSH decrypt key in Forgejo:
```sh
CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh
```
The helper also accepts a token file path or token on stdin.