diff --git a/docs/decisions/010-forgejo-ci.md b/docs/decisions/010-forgejo-ci.md index edeef00..8a8e15c 100644 --- a/docs/decisions/010-forgejo-ci.md +++ b/docs/decisions/010-forgejo-ci.md @@ -24,9 +24,10 @@ held to the same standard as the rest of the repo's secrets. ### 1. API tokens are managed secrets, least-privilege -A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden**, -fetched via `rbw`/env, **never** written to a file or pasted into chat. Tokens are -**least-privilege** — scoped to their purpose, never admin. +A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden** +(item `boma-forgejo-api`), fetched via `rbw get boma-forgejo-api` (run `rbw sync` +first if it was just added), **never** written to a file or pasted into chat. Tokens +are **least-privilege** — scoped to their purpose, never admin. Note what does *not* need a token: git push/pull (SSH key), and Terraform state (local — ADR-006). A token for CI / registry use needs only: