every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/evolution/proposals/ECP-0062-ci-age-key-secrets.md
every.channel 4dbd831d0b
ci: switch deploy secrets to age key workflow
2026-02-16 00:59:52 -05:00

1.4 KiB
Raw Blame History

ECP-0062: CI Secrets via Single SSH Identity + Repo-Encrypted Age Files

Status: Draft

Goal

Keep CI secret handling minimal and auditable:

  • one Forgejo Actions secret containing an SSH private key (AGE_FORGE_SSH_KEY),
  • all runtime credentials stored in git as encrypted .age files,
  • no CI dependence on repo cloning tokens (CODEBERG_TOKEN) for deploy.

Non-Goals

  • Replacing local developer token helpers (scripts/fj-auth-codeberg.sh).
  • Defining protocol-level stream key distribution.

Proposal

  1. Deploy workflow uses actions/checkout with github.token and drops the clone fallback path.
  2. Deploy workflow requires one secret only: AGE_FORGE_SSH_KEY.
  3. Deploy workflow decrypts secrets/cloudflare-api-token.age at runtime via age -d -i <key>.
  4. CLOUDFLARE_API_TOKEN is exported into GITHUB_ENV only for the current job.
  5. CODEBERG_TOKEN is removed from deploy workflow requirements.

Rationale

This matches the key.store operational model:

  • one root automation identity in Forgejo,
  • encrypted secrets versioned in-repo,
  • no plaintext token files in CI configuration.

It reduces secret sprawl, removes accidental token coupling, and keeps deploy bootstrap deterministic.

Rollout / Reversibility

  • Additive migration:
    • set AGE_FORGE_SSH_KEY in Forgejo,
    • commit encrypted secrets/cloudflare-api-token.age,
    • run deploy.
  • Reversible by reintroducing direct Actions secret env injection if needed.