chore: narrow Forgejo runner Infisical machine identity #87

New issue

Open

opened 2026-05-19 08:53:06 +02:00 by codex · 2 comments

codex commented

2026-05-19 08:53:06 +02:00

Collaborator

Context

Kan-ductor release lane is now green after wiring rs2000-docker to an Infisical Token Auth file. This unblocks docker-publish.yml and publishes images to Forgejo registry.

Current state is intentionally a bootstrap/MVP shortcut: the runner uses the shared Infisical Token Auth identity documented in agent-souls 0.1 MVP. It works, but it is broader than the runner needs.

Desired state

Create a dedicated, narrow machine identity for the Forgejo Docker publish runner.

Minimum access needed:

Infisical project: home-platform
environment: prod
secret path: /home-platform/infra
readable keys only:
- KAN_FORGEJO_REGISTRY_USERNAME
- KAN_FORGEJO_REGISTRY_TOKEN

The runner should keep only a mode-0600 token file and the non-secret pointer:

INFISICAL_TOKEN_AUTH_FILE=/data/infisical-token-auth-token

Acceptance criteria

rs2000-docker no longer uses the shared Instance Admin Token Auth value.
The dedicated token can read the two registry secrets and nothing broader by policy.
docker-publish.yml still succeeds for main.
Runbook documents rotation and rollback.

Notes

Do not store the registry PAT in Forgejo repository secrets.
Do not paste token values into issues, PRs, logs, or chat.
Keep this separate from Kan-ductor app deploys.

## Context Kan-ductor release lane is now green after wiring `rs2000-docker` to an Infisical Token Auth file. This unblocks `docker-publish.yml` and publishes images to Forgejo registry. Current state is intentionally a bootstrap/MVP shortcut: the runner uses the shared Infisical Token Auth identity documented in `agent-souls` 0.1 MVP. It works, but it is broader than the runner needs. ## Desired state Create a dedicated, narrow machine identity for the Forgejo Docker publish runner. Minimum access needed: - Infisical project: `home-platform` - environment: `prod` - secret path: `/home-platform/infra` - readable keys only: - `KAN_FORGEJO_REGISTRY_USERNAME` - `KAN_FORGEJO_REGISTRY_TOKEN` The runner should keep only a mode-0600 token file and the non-secret pointer: ```text INFISICAL_TOKEN_AUTH_FILE=/data/infisical-token-auth-token ``` ## Acceptance criteria - `rs2000-docker` no longer uses the shared Instance Admin Token Auth value. - The dedicated token can read the two registry secrets and nothing broader by policy. - `docker-publish.yml` still succeeds for `main`. - Runbook documents rotation and rollback. ## Notes - Do not store the registry PAT in Forgejo repository secrets. - Do not paste token values into issues, PRs, logs, or chat. - Keep this separate from Kan-ductor app deploys.

codex commented

2026-06-03 10:38:27 +02:00

Author

Collaborator

Codex checkpoint:

Keep open. This is still valid operational debt, but it is explicitly owner/secret/infrastructure gated.

Safe boundaries:

Do not solve this by adding registry PATs to Forgejo repo secrets.
Do not paste Infisical token-auth values, registry tokens, or PATs into issues/PRs/logs/chat.
Do not rotate or issue production machine identities without Piotr approval.
Do not bundle this with Kan-ductor app deploys.

Next safe implementation shape:

In Infisical, create/confirm a dedicated runner identity scoped to project home-platform, env prod, path /home-platform/infra, read-only keys KAN_FORGEJO_REGISTRY_USERNAME and KAN_FORGEJO_REGISTRY_TOKEN.
Update RS2000 runner token-auth file out of band, mode 0600.
Run docker-publish.yml on a harmless commit or manual dispatch.
Add a short runbook note documenting rotation and rollback without secrets.

This should be handled as infra/secret work with an owner checkpoint, not as a normal Kan-ductor code PR.

Codex checkpoint: Keep open. This is still valid operational debt, but it is explicitly owner/secret/infrastructure gated. Safe boundaries: - Do not solve this by adding registry PATs to Forgejo repo secrets. - Do not paste Infisical token-auth values, registry tokens, or PATs into issues/PRs/logs/chat. - Do not rotate or issue production machine identities without Piotr approval. - Do not bundle this with Kan-ductor app deploys. Next safe implementation shape: 1. In Infisical, create/confirm a dedicated runner identity scoped to project `home-platform`, env `prod`, path `/home-platform/infra`, read-only keys `KAN_FORGEJO_REGISTRY_USERNAME` and `KAN_FORGEJO_REGISTRY_TOKEN`. 2. Update RS2000 runner token-auth file out of band, mode `0600`. 3. Run `docker-publish.yml` on a harmless commit or manual dispatch. 4. Add a short runbook note documenting rotation and rollback without secrets. This should be handled as infra/secret work with an owner checkpoint, not as a normal Kan-ductor code PR.

Iskra commented

2026-06-11 03:11:49 +02:00

Collaborator

Iskra judgment

Field	Value
Target	`pdurlej/kan-ductor#issue#87`
Priority	p1
Action	operator_needed
Scores	reach 4 / impact 5 / confidence 5
Piotr fit	high
Effort	small
Labels	`judge/p1`, `judge/operator-needed`
Judge	`iskra` via `openclaw`

Rationale: This is P1 operator-needed security hygiene because release publishing currently works through a broader-than-needed credential and should move to least privilege.

Caveat: Do not expose or rotate token material in logs; verify publish still works and keep rollback to the prior credential path explicit.

Structured openclaw.judge.v0 payload

<!-- openclaw.judge.v0 -->
{
  "confidence": 5,
  "effort_hint": "small",
  "escalation": {
    "kind": "operator",
    "reason": "Creating and rotating a narrower machine identity touches production release credentials and needs owner-approved credential handling."
  },
  "evidence_refs": [
    {
      "note": "Issue proposes narrowing the Forgejo Docker publish runner from a shared Infisical Token Auth identity to a dedicated machine identity.",
      "type": "forgejo",
      "value": "issue-title-body-labels-and-target-snapshot"
    },
    {
      "note": "Body defines minimum needed access as a specific project, environment, path, and two registry-related readable keys.",
      "type": "forgejo",
      "value": "issue-body-desired-state"
    },
    {
      "note": "Acceptance requires the runner stop using the shared Instance Admin Token Auth value and verify only the dedicated token can read required keys.",
      "type": "forgejo",
      "value": "issue-body-acceptance-criteria"
    }
  ],
  "impact": 5,
  "judge_actor": {
    "name": "iskra",
    "runtime": "openclaw"
  },
  "judged_at": "2026-06-11T01:10:00Z",
  "labels_to_apply": [
    "judge/p1",
    "judge/operator-needed"
  ],
  "piotr_fit": "high",
  "priority": "p1",
  "rationale_summary": "This is P1 operator-needed security hygiene because release publishing currently works through a broader-than-needed credential and should move to least privilege.",
  "reach": 4,
  "recommended_next_action": "operator_needed",
  "rerun_reason": "no_prior_judgment",
  "schema": "openclaw.judge.v0",
  "target": {
    "kind": "issue",
    "number": 87,
    "repo": "pdurlej/kan-ductor"
  },
  "target_snapshot": {
    "body_hash": "sha256:09804c163e578d87c8ef469e9e19247df1f8a69ef40c35e3c9ae839e88cb87d2",
    "commit_count": null,
    "evidence_hash": "sha256:532a96c64b0c0c2ae608f86dd0b2fae6d408227da45022388e3729530fded83d",
    "head_sha": null,
    "labels": [],
    "labels_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "state": "open",
    "title_hash": "sha256:fa18d02ca6df7b4ea459331e0efee9f850faf0b8fd7befb391a12564890a0ceb",
    "updated_at": "2026-06-03T10:38:27+02:00"
  },
  "top_caveat": "Do not expose or rotate token material in logs; verify publish still works and keep rollback to the prior credential path explicit."
}
<!-- /openclaw.judge.v0 -->

### Iskra judgment | Field | Value | | --- | --- | | Target | `pdurlej/kan-ductor#issue#87` | | Priority | p1 | | Action | operator_needed | | Scores | reach 4 / impact 5 / confidence 5 | | Piotr fit | high | | Effort | small | | Labels | `judge/p1`, `judge/operator-needed` | | Judge | `iskra` via `openclaw` | **Rationale:** This is P1 operator-needed security hygiene because release publishing currently works through a broader-than-needed credential and should move to least privilege. **Caveat:** Do not expose or rotate token material in logs; verify publish still works and keep rollback to the prior credential path explicit. <details> <summary>Structured openclaw.judge.v0 payload</summary> ```json  { "confidence": 5, "effort_hint": "small", "escalation": { "kind": "operator", "reason": "Creating and rotating a narrower machine identity touches production release credentials and needs owner-approved credential handling." }, "evidence_refs": [ { "note": "Issue proposes narrowing the Forgejo Docker publish runner from a shared Infisical Token Auth identity to a dedicated machine identity.", "type": "forgejo", "value": "issue-title-body-labels-and-target-snapshot" }, { "note": "Body defines minimum needed access as a specific project, environment, path, and two registry-related readable keys.", "type": "forgejo", "value": "issue-body-desired-state" }, { "note": "Acceptance requires the runner stop using the shared Instance Admin Token Auth value and verify only the dedicated token can read required keys.", "type": "forgejo", "value": "issue-body-acceptance-criteria" } ], "impact": 5, "judge_actor": { "name": "iskra", "runtime": "openclaw" }, "judged_at": "2026-06-11T01:10:00Z", "labels_to_apply": [ "judge/p1", "judge/operator-needed" ], "piotr_fit": "high", "priority": "p1", "rationale_summary": "This is P1 operator-needed security hygiene because release publishing currently works through a broader-than-needed credential and should move to least privilege.", "reach": 4, "recommended_next_action": "operator_needed", "rerun_reason": "no_prior_judgment", "schema": "openclaw.judge.v0", "target": { "kind": "issue", "number": 87, "repo": "pdurlej/kan-ductor" }, "target_snapshot": { "body_hash": "sha256:09804c163e578d87c8ef469e9e19247df1f8a69ef40c35e3c9ae839e88cb87d2", "commit_count": null, "evidence_hash": "sha256:532a96c64b0c0c2ae608f86dd0b2fae6d408227da45022388e3729530fded83d", "head_sha": null, "labels": [], "labels_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "state": "open", "title_hash": "sha256:fa18d02ca6df7b4ea459331e0efee9f850faf0b8fd7befb391a12564890a0ceb", "updated_at": "2026-06-03T10:38:27+02:00" }, "top_caveat": "Do not expose or rotate token material in logs; verify publish still works and keep rollback to the prior credential path explicit." }  ``` </details>

Iskra added the

judge/operator-needed

judge/p1

labels

2026-06-11 03:11:49 +02:00