Move all Forgejo automation tokens off coilysiren onto a dedicated bot account #344
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#344
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
Stop using coilysiren's personal Forgejo account for automation. Create a dedicated bot / service account and move every automation PAT to it.
Why
POST /users/{user}/tokensrequires basic auth by design (token auth is refused, anti-escalation - gitea#21186). The DB-level password-less mint is going away with the ward/wardkdl Forgejo migration (wardkdl has no "against the DB" concept). So every personal-token rotation forces coilysiren to temporarily re-add her account password. A bot account owns its own password, kept out of the human's posture.Tokens to move (the
/forgejo/*user PATs)ci-release-token-write:repository; org Actions secretCI_RELEASE_TOKENoncoilyco-flight-deck(+ per-repo on coilyco-bridge/coily). create-release, agentic-os bump-pin DEFAULT_REV push, Homebrew formula bump.tap-bump-token-write:repository; the tap-writer runner.api-token- admin API token for sweeps / issue creation / org-secret writes.(Cluster secrets
secret-key,internal-token,lfs-jwt-secret,db-password,metrics-tokenare not user PATs and stay.)Work
coily-bot). Decide admin vs scoped:api-tokenwants admin-ish reach; thewrite:repositorytokens only need write on the relevant repos/org (collaborator or an org team).scripts/provision-ci-release-token.sh,scripts/provision-tap-bump-token.sh) to defaultFORGEJO_USERto the bot.Refs
/forgejo/*entry