Fix Authentik WIF client credentials
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 2m46s
Build Rust / Cargo Test (push) Successful in 4m1s
Build Site / Next.js Build (push) Failing after 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 13:07:34 -07:00
parent 8180c3c35a
commit e7c0442a12
6 changed files with 107 additions and 35 deletions

View file

@ -85,6 +85,14 @@ The same change also makes the forge itself the release authority: release tags
token endpoint, not a provider-slug child path. The helper should prefer an
explicit `BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT`, then OIDC discovery, then the
Authentik `/application/o/token/` fallback derived from the configured issuer.
- The Google WIF Authentik application is a machine-to-machine
client-credentials provider. It must not default to a human group policy
binding, because the token exchange has no interactive user and Authentik will
reject the grant before Google WIF can validate the issued JWT.
- Forgejo should store the Authentik WIF credential as the client-credentials
`client_secret` form value. For service-account authentication, that value is
`base64("<service-account-username>:<app-password-token>")`; the helper must
send it as form data, not HTTP Basic auth.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.