generated from coulomb/repo-seed
REUSE-WP-0019: record live webhook secret addition
Some checks are pending
ci / validate-registry (push) Waiting to run
Some checks are pending
ci / validate-registry (push) Waiting to run
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET added to the reuse-surface-env K8s Secret and the deployment restarted to pick it up, per explicit user sign-off. Live-verified: a correctly-signed webhook push is now accepted, a bad signature still 401s, other endpoints unaffected by the restart. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
@@ -161,12 +161,20 @@ real forced recompose via `POST /v1/federated/compose` (token-auth via
|
|||||||
correctly failing closed with 503 (`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET`
|
correctly failing closed with 503 (`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET`
|
||||||
not yet configured).
|
not yet configured).
|
||||||
|
|
||||||
**Deliberately not done — needs separate explicit sign-off:** writing the
|
**Webhook secret added 2026-07-07 (explicit user sign-off "Go ahead and
|
||||||
new `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` value into the live K8s Secret
|
add the webhook secret"):** generated a fresh 32-byte hex secret with
|
||||||
`reuse-surface-env` was blocked by the auto-mode classifier as a
|
`openssl rand -hex 32`, patched it into the live K8s Secret
|
||||||
credential-establishment action distinct from "deploy to live" — did not
|
`reuse-surface-env` in namespace `reuse`, restarted the deployment (values
|
||||||
attempt to work around it. The webhook endpoint is deployed and will work
|
injected via `envFrom.secretRef`, not picked up without a restart) — pod
|
||||||
correctly once that specific step is authorized and done.
|
rolled cleanly (`1/1 Ready`, 0 restarts). The raw secret value was never
|
||||||
|
printed to the transcript: generated and applied in one non-echoing shell
|
||||||
|
step, and re-fetched only inside an exported env var for the live
|
||||||
|
signature-verification test below, then unset. Live-verified against
|
||||||
|
production: a correctly HMAC-signed push payload is now accepted
|
||||||
|
(`{"accepted": false, "reason": "no registry/indexes/ change"}` for a
|
||||||
|
payload that doesn't touch `registry/indexes/`, as designed), and a bad
|
||||||
|
signature is still rejected with 401. `/v1/federated` and `/v1/repos`
|
||||||
|
unaffected by the restart.
|
||||||
|
|
||||||
**Found (not fixed) while smoke-testing:** the public ingress's exact-path
|
**Found (not fixed) while smoke-testing:** the public ingress's exact-path
|
||||||
`/health` rule 404s at the Traefik edge (shadowed by the catch-all `/`
|
`/health` rule 404s at the Traefik edge (shadowed by the catch-all `/`
|
||||||
|
|||||||
Reference in New Issue
Block a user