Use client-only WIF runner grants
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m0s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 6s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 13:34:53 -07:00
parent e7c0442a12
commit 51f34c9a64
3 changed files with 5 additions and 6 deletions

View file

@ -17,9 +17,8 @@ It may manage:
- a non-exportable software KMS signing key for Sparkle Ed25519 appcast
signatures (`sparkle-ed25519`)
- an Authentik-backed WIF pool/provider for Forgejo runners
- the runner service account and its narrow IAM bindings for the
`burrow-automation` group and the Authentik WIF client ID
`google-wif.burrow.net`
- the runner service account and its narrow IAM binding for the Authentik WIF
client ID `google-wif.burrow.net`; human/group grants are opt-in
It must not manage: