42 lines
1.4 KiB
Markdown
42 lines
1.4 KiB
Markdown
# ECP-0062: CI Secrets via Single SSH Identity + Repo-Encrypted Age Files
|
|
|
|
Status: Draft
|
|
|
|
## Goal
|
|
|
|
Keep CI secret handling minimal and auditable:
|
|
|
|
- one Forgejo Actions secret containing an SSH private key (`AGE_FORGE_SSH_KEY`),
|
|
- all runtime credentials stored in git as encrypted `.age` files,
|
|
- no CI dependence on repo cloning tokens (`CODEBERG_TOKEN`) for deploy.
|
|
|
|
## Non-Goals
|
|
|
|
- Replacing local developer token helpers (`scripts/fj-auth-codeberg.sh`).
|
|
- Defining protocol-level stream key distribution.
|
|
|
|
## Proposal
|
|
|
|
1. Deploy workflow uses `actions/checkout` with `github.token` and drops the clone fallback path.
|
|
2. Deploy workflow requires one secret only: `AGE_FORGE_SSH_KEY`.
|
|
3. Deploy workflow decrypts `secrets/cloudflare-api-token.age` at runtime via `age -d -i <key>`.
|
|
4. `CLOUDFLARE_API_TOKEN` is exported into `GITHUB_ENV` only for the current job.
|
|
5. `CODEBERG_TOKEN` is removed from deploy workflow requirements.
|
|
|
|
## Rationale
|
|
|
|
This matches the key.store operational model:
|
|
|
|
- one root automation identity in Forgejo,
|
|
- encrypted secrets versioned in-repo,
|
|
- no plaintext token files in CI configuration.
|
|
|
|
It reduces secret sprawl, removes accidental token coupling, and keeps deploy bootstrap deterministic.
|
|
|
|
## Rollout / Reversibility
|
|
|
|
- Additive migration:
|
|
- set `AGE_FORGE_SSH_KEY` in Forgejo,
|
|
- commit encrypted `secrets/cloudflare-api-token.age`,
|
|
- run deploy.
|
|
- Reversible by reintroducing direct Actions secret env injection if needed.
|