Record the Vaultwarden item name for the Forgejo token in ADR-010

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-05-30 21:35:24 +02:00
parent 37cece9dbd
commit 778b581729

View file

@ -24,9 +24,10 @@ held to the same standard as the rest of the repo's secrets.
### 1. API tokens are managed secrets, least-privilege
A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden**,
fetched via `rbw`/env, **never** written to a file or pasted into chat. Tokens are
**least-privilege** — scoped to their purpose, never admin.
A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden**
(item `boma-forgejo-api`), fetched via `rbw get boma-forgejo-api` (run `rbw sync`
first if it was just added), **never** written to a file or pasted into chat. Tokens
are **least-privilege** — scoped to their purpose, never admin.
Note what does *not* need a token: git push/pull (SSH key), and Terraform state
(local — ADR-006). A token for CI / registry use needs only: