Issue CI/CD .forgejo security #7
Labels
No labels
Compat/Breaking
Compat/Deprecation
Kind
Bug
Kind
Chore
Kind
Documentation
Kind
Enhancement
Kind
Feature
Kind
Investigation
Kind
Question
Kind
Security
Kind
Testing
Meta/Good First Issue
Meta/Help Wanted
Meta/Stale
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Resolution
Confirmed
Resolution
Duplicate
Resolution
Invalid
Resolution
Won't Fix
Status
Abandoned
Status
Blocked
Status
Needs More Info
Status
Needs Triage
No milestone
No project
No assignees
1 participant
Notifications
Total time spent: 1 hour 5 minutes
Due date
Xeplosion
1 hour 5 minutes
No due date set.
Dependencies
No dependencies set.
Reference
XeplosionGames/.forgejo#7
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Type of chore
Security hardening
What needs doing and why?
The current CI/CD setup uses a single shared
cicduser with org-level SSH credentials(
SSH_PRIVATE_KEY,SSH_USER) inherited by all repos. This means any repo's workflowhas the same server access as every other repo — a compromised workflow or stolen secret
can reach all services.
The planned security model (documented in
INFRASTRUCTURE-VPS.mdandINFRASTRUCTURE-HUB.mdon the
docsbranch) calls for full per-repo isolation on the Forgejo side. The followingwork is outstanding:
Deploy keys
SSH_PRIVATE_KEYin each repo's secrets (not org-level)SSH_PRIVATE_KEYandSSH_USERfrom org-level secrets once all repos are migratedPer-repo secrets
SSH_USERper repo to the correct service user (e.g.svc-nginx,svc-mc-survival)RELEASE_TOKENper repo using a Forgejo application token scoped to that repo onlyDEPLOY_TARGETis set per repo (vpsorhub)SSH_PORT,VPS_HOST,HUB_HOSTto org-level variables (non-secret)CODEOWNERS
.forgejo/CODEOWNERSis present onmainwith.* @xeplosion.forgejo/CODEOWNERSwith.* @xeplosionto each template branchSync token
SYNC_TOKENis scoped to.forgejorepo only, not org-levelRisk or impact
Until this is done, all service repos share the same server credentials. A malicious
or accidental change in any workflow can affect any service on either server. The org-level
SSH_PRIVATE_KEYis the primary risk — it should not exist at org level once per-repokeys are in place.
No production behaviour changes. This is credential and permission restructuring only.
Additional context
Security model reference:
docsbranch →INFRASTRUCTURE-VPS.md,INFRASTRUCTURE-HUB.mdDeploy key generation per service:
Checklist