Remove site-admin Forgejo PAT from non-interactive runner paths #513

Closed
opened 2026-07-09 22:21:44 +00:00 by coilyco-ops · 2 comments
Member

Problem

The broad /forgejo/api-token admin PAT is used in non-interactive paths:

  • deploy/forgejo-runner.yml syncs it into forgejo-runner-secrets and each runner init container uses it to call /api/v1/admin/runners/registration-token.
  • deploy/forgejo-runner-deploy.yml syncs it into forgejo-runner-deploy-secrets for the same registration-token call.
  • deploy/forgejo-runner-tap-writer.yml syncs it into forgejo-tap-writer-secrets for the same registration-token call.
  • Legacy mirror scripts read it from SSM, though infrastructure#365 already tracks replacing the unsafe mirror path.
  • Some local helpers fall back to it for git/docker auth.

This puts a broad admin PAT inside long-running automation where a narrower credential or operator-only path should be used.

Desired behavior

Reduce non-interactive dependence on /forgejo/api-token:

  • For runner registration, investigate the narrowest credential that can mint/register runners, or move registration behind a safer operator/bootstrap step if Forgejo requires admin for that endpoint.
  • Do not mount the site-admin PAT into runner pods if a narrower path exists.
  • Keep the runner token TTL work from infrastructure#510/#511 separate: TTL rotates .runner; this issue reduces the credential used to mint/register the runner.
  • Leave legacy mirror cleanup to infrastructure#365 unless this work needs to touch the same token path.
  • Document any remaining uses that truly require the admin PAT and mark them operator-only.

Verification

rg /forgejo/api-token deploy scripts systemd should show no long-running non-interactive consumer unless it is explicitly documented as unavoidable.

## Problem The broad `/forgejo/api-token` admin PAT is used in non-interactive paths: - `deploy/forgejo-runner.yml` syncs it into `forgejo-runner-secrets` and each runner init container uses it to call `/api/v1/admin/runners/registration-token`. - `deploy/forgejo-runner-deploy.yml` syncs it into `forgejo-runner-deploy-secrets` for the same registration-token call. - `deploy/forgejo-runner-tap-writer.yml` syncs it into `forgejo-tap-writer-secrets` for the same registration-token call. - Legacy mirror scripts read it from SSM, though infrastructure#365 already tracks replacing the unsafe mirror path. - Some local helpers fall back to it for git/docker auth. This puts a broad admin PAT inside long-running automation where a narrower credential or operator-only path should be used. ## Desired behavior Reduce non-interactive dependence on `/forgejo/api-token`: - For runner registration, investigate the narrowest credential that can mint/register runners, or move registration behind a safer operator/bootstrap step if Forgejo requires admin for that endpoint. - Do not mount the site-admin PAT into runner pods if a narrower path exists. - Keep the runner token TTL work from infrastructure#510/#511 separate: TTL rotates `.runner`; this issue reduces the credential used to mint/register the runner. - Leave legacy mirror cleanup to infrastructure#365 unless this work needs to touch the same token path. - Document any remaining uses that truly require the admin PAT and mark them operator-only. ## Verification `rg /forgejo/api-token deploy scripts systemd` should show no long-running non-interactive consumer unless it is explicitly documented as unavoidable.
Author
Member

WARD-RESERVATION: held 🔒

reservation details

Holder: container engineer-codex-infrastructure-513 on host kais-macbook-pro-2.local.

Reserved by ward agent --harness codex (reserved 2026-07-09T22:21:51Z). Concurrent ward agent runs are blocked until it finishes or the reservation goes stale (1h TTL). --force overrides.

Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh. That is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).

run seed context — what this run is carrying (ward#609)
  • Resolved: coilyco-flight-deck/infrastructure#513 · branch issue-513 · harness codex · workflow direct-to-main
  • Run: engineer-codex-infrastructure-513 · ward v0.493.0 · dispatched 2026-07-09T22:21:51Z
  • Comment thread: 0 included in the pre-flight read, 0 stripped (ward's own automated comments).

Static container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.493.0).

— Codex, via ward agent

<!-- ward-agent-reservation --> WARD-RESERVATION: held 🔒 <details><summary>reservation details</summary> Holder: container `engineer-codex-infrastructure-513` on host `kais-macbook-pro-2.local`. Reserved by `ward agent --harness codex` (reserved 2026-07-09T22:21:51Z). Concurrent `ward agent` runs are blocked until it finishes or the reservation goes stale (1h TTL). `--force` overrides. **Do not comment on or edit this issue to steer the run while it is reserved.** The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a **new issue, dispatched fresh**. That is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494). <details><summary>run seed context — what this run is carrying (ward#609)</summary> - **Resolved:** `coilyco-flight-deck/infrastructure#513` · branch `issue-513` · harness `codex` · workflow `direct-to-main` - **Run:** `engineer-codex-infrastructure-513` · ward `v0.493.0` · dispatched `2026-07-09T22:21:51Z` - **Comment thread:** 0 included in the pre-flight read, 0 stripped (ward's own automated comments). Static container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.493.0). </details> </details> <!-- ward-agent-signature --> — Codex, via `ward agent`
Author
Member

WARD-OUTCOME: done

details

review summary: skipped by ~/.ward/config.yaml default.
workflow: direct-to-main; review summary: skipped by ~/.ward/config.yaml default.
felt: straightforward token split with a small docs pass.
confidence: high.
surprises: pre-commit needed a local UV_PYTHON_INSTALL_DIR override in this container.
follow-ups: legacy mirror cleanup stays on infrastructure#365.

WARD-OUTCOME: done ✅ <details><summary>details</summary> review summary: skipped by ~/.ward/config.yaml default. workflow: direct-to-main; review summary: skipped by ~/.ward/config.yaml default. felt: straightforward token split with a small docs pass. confidence: high. surprises: pre-commit needed a local UV_PYTHON_INSTALL_DIR override in this container. follow-ups: legacy mirror cleanup stays on infrastructure#365. </details>
Sign in to join this conversation.
No description provided.