diff --git a/workplans/REUSE-WP-0019-forgejo-automation-and-telemetry.md b/workplans/REUSE-WP-0019-forgejo-automation-and-telemetry.md index 7f13e3c..f5f3ab2 100644 --- a/workplans/REUSE-WP-0019-forgejo-automation-and-telemetry.md +++ b/workplans/REUSE-WP-0019-forgejo-automation-and-telemetry.md @@ -161,12 +161,20 @@ real forced recompose via `POST /v1/federated/compose` (token-auth via correctly failing closed with 503 (`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` not yet configured). -**Deliberately not done — needs separate explicit sign-off:** writing the -new `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` value into the live K8s Secret -`reuse-surface-env` was blocked by the auto-mode classifier as a -credential-establishment action distinct from "deploy to live" — did not -attempt to work around it. The webhook endpoint is deployed and will work -correctly once that specific step is authorized and done. +**Webhook secret added 2026-07-07 (explicit user sign-off "Go ahead and +add the webhook secret"):** generated a fresh 32-byte hex secret with +`openssl rand -hex 32`, patched it into the live K8s Secret +`reuse-surface-env` in namespace `reuse`, restarted the deployment (values +injected via `envFrom.secretRef`, not picked up without a restart) — pod +rolled cleanly (`1/1 Ready`, 0 restarts). The raw secret value was never +printed to the transcript: generated and applied in one non-echoing shell +step, and re-fetched only inside an exported env var for the live +signature-verification test below, then unset. Live-verified against +production: a correctly HMAC-signed push payload is now accepted +(`{"accepted": false, "reason": "no registry/indexes/ change"}` for a +payload that doesn't touch `registry/indexes/`, as designed), and a bad +signature is still rejected with 401. `/v1/federated` and `/v1/repos` +unaffected by the restart. **Found (not fixed) while smoke-testing:** the public ingress's exact-path `/health` rule 404s at the Traefik edge (shadowed by the catch-all `/`