hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Rotate operator secrets into agenix and deepen caches
Some checks failed
Build Rust / Cargo Test (push) Waiting to run
Details
Build Site / Next.js Build (push) Waiting to run
Details
Build Apple / Build App (iOS Simulator) (push) Failing after 52s
Details
Build Apple / Build App (macOS) (push) Failing after 1m1s
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-19 00:28:18 -07:00
parent 7039bf5aad
commit 03415e579b
28 changed files with 526 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

18
services/forgejo-nsc/README.md
View file

@ -155,11 +155,12 @@ instances:
```
For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
generate a Namespace token from the logged-in namespace account, and render
bootstrap artifacts into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml` plus
`intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a
`bearer_token` field so both the Compute API path and the `nsc` CLI fallback can
consume the same secret material.
generate a Namespace token from the logged-in Namespace account, and refresh
`secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
The token file is emitted as JSON with a `bearer_token` field so both the
Compute API path and the `nsc` CLI fallback can consume the same secret
material. Use `--write-intake` only when you explicitly need local plaintext
debug copies.
Long-lived runtime state is now sourced from age-encrypted files:
@ -169,10 +170,9 @@ Long-lived runtime state is now sourced from age-encrypted files:
- `secrets/forgejo/nsc-dispatcher-config.age`
- `secrets/forgejo/nsc-autoscaler-config.age`
After refreshing the intake files, re-encrypt them into `secrets/forgejo/*.age`
and deploy the forge host so `config.age.secrets.*` updates the live paths for
`services.burrow.forge`, `services.burrow.forgeRunner`, and
`services.burrow.forgejoNsc`.
After refreshing the encrypted secrets, deploy the forge host so
`config.age.secrets.*` updates the live paths for `services.burrow.forge`,
`services.burrow.forgeRunner`, and `services.burrow.forgejoNsc`.
Run it next to the dispatcher:

38
services/forgejo-nsc/internal/nsc/macos.go
View file

@ -602,6 +602,18 @@ if ! mkdir -p "/Users/runner/.cache/act" 2>/dev/null; then
fi
export PATH="/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin:${PATH}"
cache_root="${NSC_CACHE_PATH:-$HOME/.cache/burrow}"
mkdir -p \
"${cache_root}/bin" \
"${cache_root}/downloads" \
"${cache_root}/go/path" \
"${cache_root}/go/mod" \
"${cache_root}/go/build" \
"${cache_root}/homebrew"
export HOMEBREW_CACHE="${cache_root}/homebrew"
export GOPATH="${cache_root}/go/path"
export GOMODCACHE="${cache_root}/go/mod"
export GOCACHE="${cache_root}/go/build"
if ! command -v curl >/dev/null 2>&1; then
echo "curl is required" >&2
@ -622,14 +634,18 @@ export PATH="${PWD}/bin:${PATH}"
runner_version="v12.6.4"
runner_src_tgz="forgejo-runner-${runner_version}.tar.gz"
runner_src_tgz_path="${cache_root}/downloads/${runner_src_tgz}"
runner_src_url="https://code.forgejo.org/forgejo/runner/archive/${runner_version}.tar.gz"
runner_src_dir="forgejo-runner-src"
runner_bin_cache="${cache_root}/bin/forgejo-runner-${runner_version}"
if ! command -v forgejo-runner >/dev/null 2>&1; then
if [[ ! -x "${runner_bin_cache}" ]]; then
rm -rf "${runner_src_dir}"
mkdir -p "${runner_src_dir}"
curl -fsSL "${runner_src_url}" -o "${runner_src_tgz}"
tar -xzf "${runner_src_tgz}" -C "${runner_src_dir}" --strip-components=1
if [[ ! -f "${runner_src_tgz_path}" ]]; then
curl -fsSL "${runner_src_url}" -o "${runner_src_tgz_path}"
fi
tar -xzf "${runner_src_tgz_path}" -C "${runner_src_dir}" --strip-components=1
toolchain="$(grep -E '^toolchain ' "${runner_src_dir}/go.mod" | awk '{print $2}' | head -n 1 || true)"
if [ -z "${toolchain}" ]; then
@ -639,21 +655,23 @@ if ! command -v forgejo-runner >/dev/null 2>&1; then
if ! command -v go >/dev/null 2>&1; then
go_tgz="${toolchain}.darwin-arm64.tar.gz"
go_url="https://go.dev/dl/${go_tgz}"
curl -fsSL "${go_url}" -o "${go_tgz}"
tar -xzf "${go_tgz}"
go_tgz_path="${cache_root}/downloads/${go_tgz}"
if [[ ! -f "${go_tgz_path}" ]]; then
curl -fsSL "${go_url}" -o "${go_tgz_path}"
fi
tar -xzf "${go_tgz_path}"
export GOROOT="${PWD}/go"
export PATH="${GOROOT}/bin:${PATH}"
fi
export GOPATH="${PWD}/.gopath"
export GOMODCACHE="${PWD}/.gomodcache"
export GOCACHE="${PWD}/.gocache"
mkdir -p "${GOPATH}" "${GOMODCACHE}" "${GOCACHE}"
(cd "${runner_src_dir}" && go build -o "${workdir}/bin/forgejo-runner" .)
chmod +x "${workdir}/bin/forgejo-runner"
(cd "${runner_src_dir}" && go build -o "${runner_bin_cache}" .)
chmod +x "${runner_bin_cache}"
fi
ln -sf "${runner_bin_cache}" "${workdir}/bin/forgejo-runner"
cat > runner.yaml <<'EOF'
log:
level: info