Rebuild Forgejo PATs under the coilyco-ops bot (after the token wipe) #384
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#384
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
All coilysiren personal Forgejo PATs were deleted (after an
all-scopesadmintoken leaked into a build log viaset -eux- see agentic-os#223 fixe329ba8). Nothing is insecure now, just broken: anything that read those tokens is down. Rebuilding bot-centric (coilyco-ops) instead of personal.Current state (verified)
/forgejo/coilyco-ops/api-token(bot PAT -ward ops forgejostill works) and/forgejo/coilyco-ops/password. The bot has push on org repos (permissions: {admin:false, pull:true, push:true}), so it is a viable replacement for coilysiren./forgejo/api-token(was theadmin/all token),/forgejo/ci-release-token,/forgejo/flux-deploy-token,/forgejo/registry-read-token.internal-token,metrics-token,secret-key,lfs-jwt-secret,db-password,oauth-github/*.Target token set (least privilege, all under
coilyco-ops)/forgejo/api-tokenward-container-pushwrite:repository/forgejo/ci-release-tokenci-releasewrite:repository/forgejo/flux-deploy-tokenflux-deployread:repository/forgejo/registry-read-tokenregistry-readread:packageNo more
all/admin token in the hot path. Mint a separate real admin token by hand only if/when needed.Step 1 - mint the tokens (run on a host with AWS + the bot password in SSM)
Saves to the same SSM paths so consumers keep reading them. Token values never hit stdout/argv (basic auth via curlrc,
.sha1-> 0600cli-input-json->ssm put-parameter).Step 2 - repoint the ward git cred-helper (code; coilyco-flight-deck/ward)
The git-over-HTTPS push user is hardcoded
coilysirenin two spots; the username must match the new token's owner (coilyco-ops):cmd/ward/containerassets/entrypoint.sh-printf 'https://%s:%s@%s\n' coilysiren ...->coilyco-opscmd/ward/container_bootstrap.go-fmt.Sprintf("https://%s:%s@%s\n", "coilysiren", ...)->coilyco-ops(Also worth flipping the registry login user in agentic-os
.forgejo/workflows/release.ymlfromcoilysirentocoilyco-ops- already staged on theissue-223branch.)Step 3 - CI Actions secrets (admin-only; needs a human)
The bot is
admin:false, so it cannot set Actions secrets via API. For each repo's release/registry workflow, set the Actions secret to the matching new bot token value:REGISTRY_TOKEN(registry push) - mint awrite:packagebot token for this (not in the SSM set above; CI-only).CI_RELEASE_TOKEN/FORGEJO_PUSH_TOKEN- theci-releasetoken value.CI_RELEASE_TOKEN, FORGEJO_PUSH_TOKEN, REGISTRY_TOKEN, GH_PUSH_TOKEN, DATASTORE_TOKEN, DOCKERHUB_*- confirm which are Forgejo PATs vs other.Step 4 - validate
ward agent claude headless <issue>run lands a commit ascoilyco-ops.Related
e329ba8.Triage:
P1/interactive- Bot tokens (ci-release/registry-read/flux-deploy) are dead; restoring broken capability, but CI Actions secrets need a human and token-minting is sensitive.(goose-style pass; claude as the judgment engine, applied 2026-06-23)
WARD-RESERVATION: held 🔒
reservation details
Holder: container
engineer-codex-infrastructure-384on hostkais-macbook-pro-2.local.Reserved by
ward agent --harness codex(reserved 2026-07-10T12:51:13Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (1h TTL).--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh. That is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/infrastructure#384· branchissue-384· harnesscodex· workflowdirect-mainengineer-codex-infrastructure-384· wardv0.580.0· dispatched2026-07-10T12:51:13ZStatic container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.580.0).
— Codex, via
ward agentWARD-OUTCOME: done
details
workflow: direct-to-main; review summary: review gate skipped by ~/.ward/config.yaml default
felt: implementation was mostly token wiring and doc alignment. The only surprise was origin/main advancing twice while I landed the branch.
confidence: high
surprises: remote main moved during merge and push, so I merged the current remote main twice before the final push.
follow-ups: none unless the live AWS account needs a credentialed plan check for import drift.