103 lines
3.9 KiB
YAML
103 lines
3.9 KiB
YAML
|
|
id: CCR-2026-0006
|
||
|
|
kind: credential-change-request
|
||
|
|
schema_version: 1
|
||
|
|
request_type: workload-kv-read
|
||
|
|
title: Forgejo operator/admin API token (PAT) lane
|
||
|
|
status: proposed
|
||
|
|
created: '2026-07-12'
|
||
|
|
updated: '2026-07-12'
|
||
|
|
requester:
|
||
|
|
agent: grok
|
||
|
|
message_id: 54125f84-e9df-4fa0-9309-7370633a20d3
|
||
|
|
reason: Establish OpenBao custody for the Forgejo site-admin PAT currently dropped
|
||
|
|
at /tmp/forgejo-tegwick-api-token or FORGEJO_ADMIN_TOKEN on workstations.
|
||
|
|
Drivers include ACTIVITY-WP-0020 weekly package prune and railiance-apps /
|
||
|
|
railiance-platform Forgejo automation tools.
|
||
|
|
review:
|
||
|
|
required: true
|
||
|
|
required_approvers:
|
||
|
|
- platform-operator
|
||
|
|
target:
|
||
|
|
domain: infotech
|
||
|
|
tenant: coulomb
|
||
|
|
workload: forgejo
|
||
|
|
environment: production
|
||
|
|
purpose: Forgejo admin API token for package prune, registry ops, org webhooks,
|
||
|
|
and operator bootstrap on workstations and activity-core worker
|
||
|
|
openbao:
|
||
|
|
mount: platform
|
||
|
|
kv_path: platform/workloads/forgejo/forgejo-admin
|
||
|
|
fields:
|
||
|
|
- API_TOKEN
|
||
|
|
- API_USER
|
||
|
|
- API_BASE_URL
|
||
|
|
- TOKEN_SCOPES
|
||
|
|
- GENERATED_AT
|
||
|
|
policy_name: workload-kv-read-forgejo-admin
|
||
|
|
policy_file: openbao/policies/workload-kv-read-forgejo-admin.hcl
|
||
|
|
auth:
|
||
|
|
method: oidc
|
||
|
|
mount: netkingdom
|
||
|
|
role: forgejo-admin-workload-kv-read
|
||
|
|
allowed_redirect_uris:
|
||
|
|
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||
|
|
- http://localhost:8250/oidc/callback
|
||
|
|
- http://127.0.0.1:8250/oidc/callback
|
||
|
|
oidc_scopes:
|
||
|
|
- openid
|
||
|
|
- profile
|
||
|
|
- email
|
||
|
|
- groups
|
||
|
|
user_claim: sub
|
||
|
|
groups_claim: groups
|
||
|
|
bound_claims:
|
||
|
|
groups:
|
||
|
|
- net-kingdom-admins
|
||
|
|
bound_claims_confirmed: true
|
||
|
|
policies:
|
||
|
|
- workload-kv-read-forgejo-admin
|
||
|
|
ttl: 15m
|
||
|
|
access_frontdoor:
|
||
|
|
type: ops-warden
|
||
|
|
catalog_id: forgejo-admin-api-token
|
||
|
|
selector: forgejo admin PAT package prune FORGEJO_ADMIN_TOKEN
|
||
|
|
command: warden access forgejo-admin-api-token --fetch API_TOKEN
|
||
|
|
resolvable: false
|
||
|
|
readiness: pending-review
|
||
|
|
delivery:
|
||
|
|
surface: operator-workstation
|
||
|
|
target: railiance-platform tools/cmd/forgejo-package-prune, activity-core
|
||
|
|
weekly-forgejo-package-prune shell resolver, and railiance-apps Forgejo tools
|
||
|
|
(load_token pattern after lane verified)
|
||
|
|
risk:
|
||
|
|
classification: high
|
||
|
|
notes:
|
||
|
|
- API_TOKEN is a Forgejo site-admin PAT for user tegwick (coulomb Owners).
|
||
|
|
- Grants package, repository, and admin API operations on forgejo.coulomb.social.
|
||
|
|
- Must not be stored on production hosts or pasted into Git, State Hub, or chat.
|
||
|
|
- ops-warden must proxy reads as the caller and must not retain values.
|
||
|
|
- Distinct from forgejo-mailer (SMTP) and railiance-backup-offsite-lane (WebDAV).
|
||
|
|
verification:
|
||
|
|
positive:
|
||
|
|
- Approved net-kingdom-admins identity can read API_TOKEN through OpenBao or
|
||
|
|
warden access without printing values in logs or hub messages.
|
||
|
|
- warden route find "forgejo admin pat" resolves to catalog id forgejo-admin-api-token.
|
||
|
|
negative:
|
||
|
|
- default-policy token denied on platform/data/workloads/forgejo/forgejo-admin.
|
||
|
|
activation_conditions:
|
||
|
|
- CCR approved by platform-operator.
|
||
|
|
- Policy and OIDC role applied with platform-admin or delegated applier authority.
|
||
|
|
- PAT minted in attended Forgejo session (tegwick → Settings → Applications)
|
||
|
|
and stored at platform/workloads/forgejo/forgejo-admin; metadata fields optional.
|
||
|
|
- Positive and negative verification recorded with non-secret audit references.
|
||
|
|
- ops-warden catalog entry promoted from draft after verification.
|
||
|
|
lifecycle:
|
||
|
|
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; revoke
|
||
|
|
PAT in Forgejo and retire workstation file-drop path.
|
||
|
|
rotate: Mint a new PAT in Forgejo, update API_TOKEN in OpenBao, record non-secret
|
||
|
|
rotation evidence, and restart dependent automation after downstream consumers
|
||
|
|
load from OpenBao.
|
||
|
|
compromised: Revoke PAT in Forgejo immediately, deactivate front door, rotate,
|
||
|
|
audit package/webhook changes, record blast-radius notes.
|
||
|
|
state_hub:
|
||
|
|
workplan_id: ACTIVITY-WP-0020
|