diff --git a/Scripts/provision-forgejo-nsc.sh b/Scripts/provision-forgejo-nsc.sh index 890d9a2..f6ab4d9 100755 --- a/Scripts/provision-forgejo-nsc.sh +++ b/Scripts/provision-forgejo-nsc.sh @@ -136,8 +136,46 @@ autoscaler_src="${REPO_ROOT}/services/forgejo-nsc/deploy/autoscaler.yaml" if [[ "${REFRESH_TOKEN}" -eq 1 || ! -s "${token_file}" ]]; then "${NSC_BIN}" auth check-login --duration 20m >/dev/null - "${NSC_BIN}" auth generate-dev-token --output_to "${token_file}" >/dev/null + raw_token_file="$(mktemp)" + trap 'rm -f "${raw_token_file}"; cleanup' EXIT + "${NSC_BIN}" auth generate-dev-token --output_to "${raw_token_file}" >/dev/null + RAW_NSC_TOKEN_FILE="${raw_token_file}" TOKEN_FILE="${token_file}" python3 - <<'PY' +import json +import os +from pathlib import Path + +raw = Path(os.environ["RAW_NSC_TOKEN_FILE"]).read_text(encoding="utf-8").strip() +if not raw: + raise SystemExit("generated Namespace token is empty") + +Path(os.environ["TOKEN_FILE"]).write_text( + json.dumps({"bearer_token": raw}, indent=2) + "\n", + encoding="utf-8", +) +PY + rm -f "${raw_token_file}" chmod 600 "${token_file}" +elif [[ -s "${token_file}" ]]; then + TOKEN_FILE="${token_file}" python3 - <<'PY' +import json +import os +from pathlib import Path + +path = Path(os.environ["TOKEN_FILE"]) +raw = path.read_text(encoding="utf-8").strip() +if not raw: + raise SystemExit(0) + +try: + parsed = json.loads(raw) +except json.JSONDecodeError: + parsed = None + +if isinstance(parsed, dict) and isinstance(parsed.get("bearer_token"), str) and parsed["bearer_token"].strip(): + raise SystemExit(0) + +path.write_text(json.dumps({"bearer_token": raw}, indent=2) + "\n", encoding="utf-8") +PY fi webhook_secret="$(python3 - <<'PY' diff --git a/services/forgejo-nsc/README.md b/services/forgejo-nsc/README.md index f3959de..dbd7e78 100644 --- a/services/forgejo-nsc/README.md +++ b/services/forgejo-nsc/README.md @@ -154,7 +154,9 @@ instances: For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT, generate a Namespace token from the logged-in namespace account, and render the dispatcher/autoscaler configs into `intake/forgejo_nsc_{dispatcher,autoscaler}.yaml` -plus `intake/forgejo_nsc_token.txt`. +plus `intake/forgejo_nsc_token.txt`. The token file is emitted as JSON with a +`bearer_token` field so both the Compute API path and the `nsc` CLI fallback can +consume the same secret material. For ongoing operations, use `Scripts/sync-forgejo-nsc-config.sh`: