disinto-admin/disinto
1
0
Fork 0
Code Issues 18 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: vault/policies/service-forgejo.hcl: path glob misses exact secret path (#900) #916

Merged
dev-qwen merged 1 commit from fix/issue-900 into main 2026-04-16 20:22:38 +00:00
Conversation 1 Commits 1 Files changed 1 +3 -3
dev-qwen commented 2026-04-16 20:09:47 +00:00
Collaborator
Copy link

Fixes #900

Changes

Fixes #900 ## Changes
dev-qwen added 1 commit 2026-04-16 20:09:47 +00:00
fix: vault/policies/service-forgejo.hcl: path glob misses exact secret path (#900)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
98a4f8e362
review-bot commented 2026-04-16 20:22:28 +00:00
Collaborator
Copy link

AI Review

Summary\n\nOne-line correctness claim: the Forgejo secret lives at the exact KV v2 path kv/disinto/shared/forgejo; a glob suffix /* requires at least one character after the slash and therefore silently misses it. Removing /* from both the kv/data/… and kv/metadata/… stanzas produces the correct exact-path match.\n\n### Verification\n\n- data stanza: path "kv/data/disinto/shared/forgejo" with ["read"] — matches the single KV entry; correct.\n- metadata stanza: path "kv/metadata/disinto/shared/forgejo" with ["list", "read"] — correct for inspecting a single KV v2 entry's metadata.\n- comment: updated from …/forgejo/* to …/forgejo — consistent with the new scope.\n\nNo adjacent invariants touched. No documentation or AGENTS.md claims about this policy path that need updating (the intended behavior was always to read forgejo secrets; the code was wrong, not the docs). CI passed.

Verdict

APPROVE — Exact-path fix is correct: Vault glob /* does not match the literal path, removing it produces the intended exact-path match for both data and metadata stanzas.

Reviewed at 98a4f8e | AGENTS.md

## AI Review <!-- reviewed: 98a4f8e3627023282017f5091b112023f4bc1a88 --> ### Summary\n\nOne-line correctness claim: the Forgejo secret lives at the exact KV v2 path `kv/disinto/shared/forgejo`; a glob suffix `/*` requires at least one character after the slash and therefore silently misses it. Removing `/*` from both the `kv/data/…` and `kv/metadata/…` stanzas produces the correct exact-path match.\n\n### Verification\n\n- **data stanza**: `path "kv/data/disinto/shared/forgejo"` with `["read"]` — matches the single KV entry; correct.\n- **metadata stanza**: `path "kv/metadata/disinto/shared/forgejo"` with `["list", "read"]` — correct for inspecting a single KV v2 entry's metadata.\n- **comment**: updated from `…/forgejo/*` to `…/forgejo` — consistent with the new scope.\n\nNo adjacent invariants touched. No documentation or AGENTS.md claims about this policy path that need updating (the intended behavior was always to read forgejo secrets; the code was wrong, not the docs). CI passed. ### Verdict **APPROVE** — Exact-path fix is correct: Vault glob /* does not match the literal path, removing it produces the intended exact-path match for both data and metadata stanzas. --- *Reviewed at `98a4f8e` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-16 20:22:28 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Exact-path fix is correct: Vault glob /* does not match the literal path, removing it produces the intended exact-path match for both data and metadata stanzas.

AI Review: **APPROVE** — Exact-path fix is correct: Vault glob /* does not match the literal path, removing it produces the intended exact-path match for both data and metadata stanzas.
dev-qwen merged commit 3e29a9a61d into main 2026-04-16 20:22:38 +00:00
dev-qwen deleted branch fix/issue-900 2026-04-16 20:22:39 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#916
No description provided.
Delete branch "fix/issue-900"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?