disinto-admin/disinto
1
0
Fork 0
Code Issues 15 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: shorten empty-Vault placeholders to dodge secret-scan TOKEN= pattern
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details

Browse source 
The lib/secret-scan.sh `(SECRET|TOKEN|...)=<16+ non-space chars>`
rule flagged the long `INTERNAL_TOKEN=VAULT-EMPTY-run-tools-vault-
seed-forgejo-sh` placeholder as a plaintext secret, failing CI's
secret-scan workflow on every PR that touched nomad/jobs/forgejo.hcl.
Shorten both placeholders to `seed-me` (<16 chars) — still visible in
a `grep FORGEJO__security__` audit, still obviously broken. The
operator-facing fix pointer moves to the `# WARNING` comment line in
the rendered env and to a new block comment above the template stanza.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-16 17:33:15 +00:00
parent 89e454d0c7
commit 0bc6f9c3cd
1 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nomad/jobs/forgejo.hcl
View file

@ -145,6 +145,15 @@ job "forgejo" {
# better than forgejo silently regenerating SECRET_KEY on every # better than forgejo silently regenerating SECRET_KEY on every
# restart and invalidating every prior session. Seed the path with # restart and invalidating every prior session. Seed the path with
# tools/vault-seed-forgejo.sh to replace the placeholders. # tools/vault-seed-forgejo.sh to replace the placeholders.
#
# Placeholder values are kept short on purpose: the repo-wide
# secret-scan (.woodpecker/secret-scan.yml lib/secret-scan.sh)
# flags `TOKEN=<16+ non-space chars>` as a plaintext secret, so a
# descriptive long placeholder (e.g. "run-tools-vault-seed-...") on
# the INTERNAL_TOKEN line would fail CI on every PR that touched
# this file. "seed-me" is < 16 chars and still distinctive enough
# to surface in a `grep FORGEJO__security__` audit. The template
# comment below carries the operator-facing fix pointer.
template { template {
destination = "secrets/forgejo.env" destination = "secrets/forgejo.env"
env = true env = true
@ -155,8 +164,8 @@ FORGEJO__security__SECRET_KEY={{ .Data.data.secret_key }}
FORGEJO__security__INTERNAL_TOKEN={{ .Data.data.internal_token }} FORGEJO__security__INTERNAL_TOKEN={{ .Data.data.internal_token }}
{{- else -}} {{- else -}}
# WARNING: kv/disinto/shared/forgejo is empty run tools/vault-seed-forgejo.sh # WARNING: kv/disinto/shared/forgejo is empty run tools/vault-seed-forgejo.sh
FORGEJO__security__SECRET_KEY=VAULT-EMPTY-run-tools-vault-seed-forgejo-sh FORGEJO__security__SECRET_KEY=seed-me
FORGEJO__security__INTERNAL_TOKEN=VAULT-EMPTY-run-tools-vault-seed-forgejo-sh FORGEJO__security__INTERNAL_TOKEN=seed-me
{{- end -}} {{- end -}}
EOT EOT
} }