Add scoped Cloudflare token secret helper
This commit is contained in:
parent
d5588360f9
commit
d0a2cea40e
2 changed files with 56 additions and 2 deletions
|
|
@ -6,8 +6,10 @@ The deploy workflow is intended to run on the primary Forgejo host (not Codeberg
|
||||||
## Prereqs
|
## Prereqs
|
||||||
|
|
||||||
- Forgejo Actions enabled on the repo.
|
- Forgejo Actions enabled on the repo.
|
||||||
- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets.
|
- Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token.
|
||||||
- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`.
|
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
|
||||||
|
|
||||||
|
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
|
||||||
|
|
||||||
CI and deploy workflows:
|
CI and deploy workflows:
|
||||||
|
|
||||||
|
|
@ -23,3 +25,14 @@ Mirror behavior:
|
||||||
```sh
|
```sh
|
||||||
./scripts/deploy-workers.sh
|
./scripts/deploy-workers.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Set Forgejo token secret
|
||||||
|
|
||||||
|
With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an
|
||||||
|
SSH decrypt key in Forgejo:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The helper also accepts a token file path or token on stdin.
|
||||||
|
|
|
||||||
41
scripts/fj-set-cloudflare-token-secret.sh
Executable file
41
scripts/fj-set-cloudflare-token-secret.sh
Executable file
|
|
@ -0,0 +1,41 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||||
|
cd "${root}"
|
||||||
|
|
||||||
|
host="${EVERY_CHANNEL_FORGE_HOST:-https://git.every.channel}"
|
||||||
|
repo="${EVERY_CHANNEL_FORGE_REPO:-every-channel/every.channel}"
|
||||||
|
secret_name="${EVERY_CHANNEL_FORGE_CLOUDFLARE_SECRET_NAME:-CLOUDFLARE_API_TOKEN}"
|
||||||
|
token_file="${1:-}"
|
||||||
|
|
||||||
|
token="${CLOUDFLARE_API_TOKEN:-}"
|
||||||
|
if [[ -z "${token}" && -n "${token_file}" ]]; then
|
||||||
|
if [[ ! -f "${token_file}" ]]; then
|
||||||
|
echo "error: token file not found: ${token_file}" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
token="$(<"${token_file}")"
|
||||||
|
fi
|
||||||
|
if [[ -z "${token}" && ! -t 0 ]]; then
|
||||||
|
token="$(cat)"
|
||||||
|
fi
|
||||||
|
token="$(printf '%s' "${token}" | tr -d '\r\n')"
|
||||||
|
|
||||||
|
if [[ -z "${token}" ]]; then
|
||||||
|
echo "error: provide CLOUDFLARE_API_TOKEN, a token file path, or token on stdin" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! command -v fj >/dev/null 2>&1; then
|
||||||
|
echo "error: fj not found in PATH (run: nix develop)" >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
"${root}/scripts/fj-auth-forge.sh" >/dev/null
|
||||||
|
|
||||||
|
# Upsert by delete/create because fj currently exposes create/delete.
|
||||||
|
fj -H "${host}" actions -r "${repo}" secrets delete "${secret_name}" >/dev/null 2>&1 || true
|
||||||
|
fj -H "${host}" actions -r "${repo}" secrets create "${secret_name}" "${token}" >/dev/null
|
||||||
|
|
||||||
|
echo "ok: set ${secret_name} on ${repo} via ${host}"
|
||||||
Loading…
Add table
Add a link
Reference in a new issue