# ECP-0062: CI Secrets via Single SSH Identity + Repo-Encrypted Age Files

Status: Draft

## Goal

Keep CI secret handling minimal and auditable:

- one Forgejo Actions secret containing an SSH private key (`AGE_FORGE_SSH_KEY`),
- all runtime credentials stored in git as encrypted `.age` files,
- no CI dependence on repo cloning tokens (`CODEBERG_TOKEN`) for deploy.

## Non-Goals

- Replacing local developer token helpers (`scripts/fj-auth-codeberg.sh`).
- Defining protocol-level stream key distribution.

## Proposal

1. Deploy workflow uses `actions/checkout` with `github.token` and drops the clone fallback path.
2. Deploy workflow requires one secret only: `AGE_FORGE_SSH_KEY`.
3. Deploy workflow decrypts `secrets/cloudflare-api-token.age` at runtime via `age -d -i <key>`.
4. `CLOUDFLARE_API_TOKEN` is exported into `GITHUB_ENV` only for the current job.
5. `CODEBERG_TOKEN` is removed from deploy workflow requirements.

## Rationale

This matches the key.store operational model:

- one root automation identity in Forgejo,
- encrypted secrets versioned in-repo,
- no plaintext token files in CI configuration.

It reduces secret sprawl, removes accidental token coupling, and keeps deploy bootstrap deterministic.

## Rollout / Reversibility

- Additive migration:
  - set `AGE_FORGE_SSH_KEY` in Forgejo,
  - commit encrypted `secrets/cloudflare-api-token.age`,
  - run deploy.
- Reversible by reintroducing direct Actions secret env injection if needed.