Use client-only WIF runner grants
This commit is contained in:
parent
e7c0442a12
commit
51f34c9a64
3 changed files with 5 additions and 6 deletions
|
|
@ -17,9 +17,8 @@ It may manage:
|
|||
- a non-exportable software KMS signing key for Sparkle Ed25519 appcast
|
||||
signatures (`sparkle-ed25519`)
|
||||
- an Authentik-backed WIF pool/provider for Forgejo runners
|
||||
- the runner service account and its narrow IAM bindings for the
|
||||
`burrow-automation` group and the Authentik WIF client ID
|
||||
`google-wif.burrow.net`
|
||||
- the runner service account and its narrow IAM binding for the Authentik WIF
|
||||
client ID `google-wif.burrow.net`; human/group grants are opt-in
|
||||
|
||||
It must not manage:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue