Sync repo-recall-forgejo-token cluster secret + rotate to read-scoped PAT #359

Closed
opened 2026-06-17 12:07:08 +00:00 by coilysiren · 0 comments
Owner

Cluster secret sync for repo-recall-forgejo-token

repo-recall (#109) now reads REPO_RECALL_FORGEJO_TOKEN to ingest Forgejo issues/PRs/
milestones/commits. The k8s manifest (deploy/repo-recall.yml) wires it as an
optional: true secretKeyRef on secret repo-recall-forgejo-token (key token), so the
pod runs fine while the secret is absent (Forgejo repos just render not configured).

To finish the wiring:

  1. Create the SSM->cluster sync for /coilyco-flight-deck/repo-recall/forgejo-token ->
    secret repo-recall-forgejo-token (key token) in repo-recall's namespace, matching the
    ExternalSecret pattern used for the other repo-recall / forgejo secrets.
  2. Optionally flip REPO_RECALL_REMOTE_FIRST=1 in deploy/repo-recall.yml once the prod
    container stops mounting local clones
    (it currently mounts /workspace/projects, so
    remote-first would only add remote-only repos; with the token alone, already-cloned Forgejo
    repos hydrate via the dispatch path).
  3. Rotate the SSM value from the reused /forgejo/api-token to a dedicated read-scoped Forgejo
    PAT (read:repository, read:issue, read:user) minted in the Forgejo UI.

SSM param documented in agentic-os-kai/SSM.md.
refs coilyco-flight-deck/repo-recall#109

## Cluster secret sync for repo-recall-forgejo-token repo-recall (#109) now reads `REPO_RECALL_FORGEJO_TOKEN` to ingest Forgejo issues/PRs/ milestones/commits. The k8s manifest (`deploy/repo-recall.yml`) wires it as an **`optional: true`** secretKeyRef on secret `repo-recall-forgejo-token` (key `token`), so the pod runs fine while the secret is absent (Forgejo repos just render `not configured`). **To finish the wiring:** 1. Create the SSM->cluster sync for `/coilyco-flight-deck/repo-recall/forgejo-token` -> secret `repo-recall-forgejo-token` (key `token`) in repo-recall's namespace, matching the ExternalSecret pattern used for the other repo-recall / forgejo secrets. 2. Optionally flip `REPO_RECALL_REMOTE_FIRST=1` in `deploy/repo-recall.yml` **once the prod container stops mounting local clones** (it currently mounts `/workspace/projects`, so remote-first would only add remote-only repos; with the token alone, already-cloned Forgejo repos hydrate via the dispatch path). 3. Rotate the SSM value from the reused `/forgejo/api-token` to a dedicated read-scoped Forgejo PAT (`read:repository`, `read:issue`, `read:user`) minted in the Forgejo UI. SSM param documented in agentic-os-kai/SSM.md. refs https://forgejo.coilysiren.me/coilyco-flight-deck/repo-recall/issues/109
Sign in to join this conversation.
No description provided.