Record the Vaultwarden item name for the Forgejo token in ADR-010
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
37cece9dbd
commit
778b581729
1 changed files with 4 additions and 3 deletions
|
|
@ -24,9 +24,10 @@ held to the same standard as the rest of the repo's secrets.
|
||||||
|
|
||||||
### 1. API tokens are managed secrets, least-privilege
|
### 1. API tokens are managed secrets, least-privilege
|
||||||
|
|
||||||
A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden**,
|
A Forgejo API token (PAT) is a secret and follows ADR-002: stored in **Vaultwarden**
|
||||||
fetched via `rbw`/env, **never** written to a file or pasted into chat. Tokens are
|
(item `boma-forgejo-api`), fetched via `rbw get boma-forgejo-api` (run `rbw sync`
|
||||||
**least-privilege** — scoped to their purpose, never admin.
|
first if it was just added), **never** written to a file or pasted into chat. Tokens
|
||||||
|
are **least-privilege** — scoped to their purpose, never admin.
|
||||||
|
|
||||||
Note what does *not* need a token: git push/pull (SSH key), and Terraform state
|
Note what does *not* need a token: git push/pull (SSH key), and Terraform state
|
||||||
(local — ADR-006). A token for CI / registry use needs only:
|
(local — ADR-006). A token for CI / registry use needs only:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue