Rotate the deploy:host Forgejo runner token (exposed in an agent session) #357

Open
opened 2026-06-17 08:46:40 +00:00 by coilysiren · 0 comments
Owner

The forgejo-runner-deploy-0 runner's registration token (the token field in its .runner config) was printed into a Claude Code session transcript on 2026-06-17 while diagnosing CD failures (coilyco-bridge/deploy#13). The value is not committed and not public, but it was exposed outside the box, so rotate it.

Risk: that token authenticates this runner to the Forgejo instance. The deploy runner is label deploy:host (host execution mode) with kai-server host + cluster access, so a held token could let someone register/impersonate it and gain code execution on kai-server. Treat as sensitive.

Rotate:

  • Forgejo admin UI: Admin > Actions > Runners, delete the forgejo-runner-deploy runner, then let it re-register (it self-registers on restart), or
  • remove the pod's ~/.runner file and restart forgejo-runner-deploy-0 so act_runner re-registers with a fresh token.
  • Confirm the new registration keeps the deploy label so CD still routes.

Origin: an agent ran cat .runner instead of grepping a narrow field while investigating deploy#13. Follow-up: prefer field-scoped reads of runner config in future ops.

The `forgejo-runner-deploy-0` runner's registration token (the `token` field in its `.runner` config) was printed into a Claude Code session transcript on 2026-06-17 while diagnosing CD failures (coilyco-bridge/deploy#13). The value is **not committed and not public**, but it was exposed outside the box, so rotate it. **Risk:** that token authenticates this runner to the Forgejo instance. The deploy runner is label `deploy:host` (host execution mode) with kai-server host + cluster access, so a held token could let someone register/impersonate it and gain code execution on kai-server. Treat as sensitive. **Rotate:** - Forgejo admin UI: Admin > Actions > Runners, delete the `forgejo-runner-deploy` runner, then let it re-register (it self-registers on restart), **or** - remove the pod's `~/.runner` file and restart `forgejo-runner-deploy-0` so act_runner re-registers with a fresh token. - Confirm the new registration keeps the `deploy` label so CD still routes. **Origin:** an agent ran `cat .runner` instead of grepping a narrow field while investigating deploy#13. Follow-up: prefer field-scoped reads of runner config in future ops.
Sign in to join this conversation.
No description provided.