hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions

Stabilize forgejo namespace auth and secrets
Some checks failed
Build Apple / Build App (iOS Simulator) (push) Has been cancelled
Details
Build Rust / Cargo Test (push) Failing after 9s
Details
Build Site / Next.js Build (push) Failing after 8s
Details
Build Apple / Build App (macOS) (push) Has been cancelled
Details

Browse source
This commit is contained in:
Conrad Kramer 2026-03-19 04:08:10 -07:00
parent 5c0a9b3f54
commit 5b09f3a742
8 changed files with 59 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

9
services/forgejo-nsc/README.md
View file

@ -158,10 +158,11 @@ instances:
For Burrow, use `Scripts/provision-forgejo-nsc.sh` to mint the Forgejo PAT,
generate a Namespace token from the logged-in Namespace account, and refresh
`secrets/forgejo/{nsc-token,nsc-dispatcher-config,nsc-autoscaler-config}.age`.
The token file is emitted as JSON with a `bearer_token` field so both the
Compute API path and the `nsc` CLI fallback can consume the same secret
material. The forge host consumes the encrypted secrets through agenix; avoid
keeping local plaintext `intake/` copies around.
The token file is emitted as JSON with a long-lived `session_token` plus the
current `bearer_token`. The `nsc` CLI paths use the session-backed login flow,
while the Compute API path can consume the bearer token directly. The forge
host consumes the encrypted secrets through agenix; avoid keeping local
plaintext `intake/` copies around.
Long-lived runtime state is now sourced from age-encrypted files: