From 0bc6f9c3cdd7f1aab2e585572c685c33417883cf Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 16 Apr 2026 17:33:15 +0000
Subject: [PATCH] fix: shorten empty-Vault placeholders to dodge secret-scan
 TOKEN= pattern
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The lib/secret-scan.sh `(SECRET|TOKEN|...)=<16+ non-space chars>`
rule flagged the long `INTERNAL_TOKEN=VAULT-EMPTY-run-tools-vault-
seed-forgejo-sh` placeholder as a plaintext secret, failing CI's
secret-scan workflow on every PR that touched nomad/jobs/forgejo.hcl.
Shorten both placeholders to `seed-me` (<16 chars) — still visible in
a `grep FORGEJO__security__` audit, still obviously broken. The
operator-facing fix pointer moves to the `# WARNING` comment line in
the rendered env and to a new block comment above the template stanza.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nomad/jobs/forgejo.hcl | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/nomad/jobs/forgejo.hcl b/nomad/jobs/forgejo.hcl
index 11ae812..ec1d3ae 100644
--- a/nomad/jobs/forgejo.hcl
+++ b/nomad/jobs/forgejo.hcl
@@ -145,6 +145,15 @@ job "forgejo" {
       # better than forgejo silently regenerating SECRET_KEY on every
       # restart and invalidating every prior session. Seed the path with
       # tools/vault-seed-forgejo.sh to replace the placeholders.
+      #
+      # Placeholder values are kept short on purpose: the repo-wide
+      # secret-scan (.woodpecker/secret-scan.yml → lib/secret-scan.sh)
+      # flags `TOKEN=<16+ non-space chars>` as a plaintext secret, so a
+      # descriptive long placeholder (e.g. "run-tools-vault-seed-...") on
+      # the INTERNAL_TOKEN line would fail CI on every PR that touched
+      # this file. "seed-me" is < 16 chars and still distinctive enough
+      # to surface in a `grep FORGEJO__security__` audit. The template
+      # comment below carries the operator-facing fix pointer.
       template {
         destination = "secrets/forgejo.env"
         env         = true
@@ -155,8 +164,8 @@ FORGEJO__security__SECRET_KEY={{ .Data.data.secret_key }}
 FORGEJO__security__INTERNAL_TOKEN={{ .Data.data.internal_token }}
 {{- else -}}
 # WARNING: kv/disinto/shared/forgejo is empty — run tools/vault-seed-forgejo.sh
-FORGEJO__security__SECRET_KEY=VAULT-EMPTY-run-tools-vault-seed-forgejo-sh
-FORGEJO__security__INTERNAL_TOKEN=VAULT-EMPTY-run-tools-vault-seed-forgejo-sh
+FORGEJO__security__SECRET_KEY=seed-me
+FORGEJO__security__INTERNAL_TOKEN=seed-me
 {{- end -}}
 EOT
       }