Move all Forgejo automation tokens off coilysiren onto a dedicated bot account #344

Open
opened 2026-06-15 18:35:41 +00:00 by coilysiren · 0 comments
Owner

Goal

Stop using coilysiren's personal Forgejo account for automation. Create a dedicated bot / service account and move every automation PAT to it.

Why

  • Blast radius. Today automation runs as coilysiren (admin, id 1). A leaked CI token acts as the human admin; a compromised human account takes automation with it. A bot isolates both directions.
  • No human-password in the rotation loop. Forgejo's POST /users/{user}/tokens requires basic auth by design (token auth is refused, anti-escalation - gitea#21186). The DB-level password-less mint is going away with the ward/wardkdl Forgejo migration (wardkdl has no "against the DB" concept). So every personal-token rotation forces coilysiren to temporarily re-add her account password. A bot account owns its own password, kept out of the human's posture.
  • Auditability. Bot-authored commits/releases/tags read as automation, not Kai.

Tokens to move (the /forgejo/* user PATs)

  • ci-release-token - write:repository; org Actions secret CI_RELEASE_TOKEN on coilyco-flight-deck (+ per-repo on coilyco-bridge/coily). create-release, agentic-os bump-pin DEFAULT_REV push, Homebrew formula bump.
  • tap-bump-token - write:repository; the tap-writer runner.
  • api-token - admin API token for sweeps / issue creation / org-secret writes.

(Cluster secrets secret-key, internal-token, lfs-jwt-secret, db-password, metrics-token are not user PATs and stay.)

Work

  1. Create a Forgejo bot user (name TBD - e.g. coily-bot). Decide admin vs scoped: api-token wants admin-ish reach; the write:repository tokens only need write on the relevant repos/org (collaborator or an org team).
  2. Re-mint each token under the bot; update SSM + the org/repo Actions secrets.
  3. Repoint provisioning scripts (scripts/provision-ci-release-token.sh, scripts/provision-tap-bump-token.sh) to default FORGEJO_USER to the bot.
  4. Fold the bot identity into the ward/wardkdl Forgejo migration so it's the canonical automation principal there, not a personal account.

Refs

## Goal Stop using **coilysiren's personal** Forgejo account for automation. Create a dedicated **bot / service account** and move every automation PAT to it. ## Why - **Blast radius.** Today automation runs as coilysiren (admin, id 1). A leaked CI token acts as the human admin; a compromised human account takes automation with it. A bot isolates both directions. - **No human-password in the rotation loop.** Forgejo's `POST /users/{user}/tokens` requires **basic auth** by design (token auth is refused, anti-escalation - gitea#21186). The DB-level password-less mint is going away with the ward/wardkdl Forgejo migration (wardkdl has no "against the DB" concept). So every personal-token rotation forces coilysiren to temporarily re-add her account password. A bot account owns its own password, kept out of the human's posture. - **Auditability.** Bot-authored commits/releases/tags read as automation, not Kai. ## Tokens to move (the `/forgejo/*` user PATs) - `ci-release-token` - `write:repository`; org Actions secret `CI_RELEASE_TOKEN` on `coilyco-flight-deck` (+ per-repo on coilyco-bridge/coily). create-release, agentic-os bump-pin DEFAULT_REV push, Homebrew formula bump. - `tap-bump-token` - `write:repository`; the tap-writer runner. - `api-token` - admin API token for sweeps / issue creation / org-secret writes. (Cluster secrets `secret-key`, `internal-token`, `lfs-jwt-secret`, `db-password`, `metrics-token` are not user PATs and stay.) ## Work 1. Create a Forgejo bot user (name TBD - e.g. `coily-bot`). Decide admin vs scoped: `api-token` wants admin-ish reach; the `write:repository` tokens only need write on the relevant repos/org (collaborator or an org team). 2. Re-mint each token under the bot; update SSM + the org/repo Actions secrets. 3. Repoint provisioning scripts (`scripts/provision-ci-release-token.sh`, `scripts/provision-tap-bump-token.sh`) to default `FORGEJO_USER` to the bot. 4. Fold the bot identity into the ward/wardkdl Forgejo migration so it's the canonical automation principal there, not a personal account. ## Refs - CI fix that surfaced this: coilyco-flight-deck/infrastructure#343 - agentic-os-kai/SSM.md `/forgejo/*` entry
Sign in to join this conversation.
No description provided.