docs: require user-provisioned release credentials
+7
-3
@@ -12,8 +12,11 @@ The canonical repository is `githop.xyz/GnosysLabs/Hop`.
|
|||||||
- Configure `origin` as `https://githop.xyz/GnosysLabs/Hop.git`.
|
- Configure `origin` as `https://githop.xyz/GnosysLabs/Hop.git`.
|
||||||
- Keep Gitea Actions disabled when the instance does not have dedicated runner
|
- Keep Gitea Actions disabled when the instance does not have dedicated runner
|
||||||
capacity; Hop's release process does not depend on it.
|
capacity; Hop's release process does not depend on it.
|
||||||
- Create a narrowly scoped maintainer access token that can write releases.
|
- Provision a narrowly scoped maintainer access token outside the agent session
|
||||||
Export it as `GITEA_TOKEN` only for the local publish command, then unset it.
|
and store it in the operating system's secret store. Agents and release
|
||||||
|
scripts may use that existing credential, but must never create, rotate, list,
|
||||||
|
or revoke account tokens through Gitea's website or API. Export it as
|
||||||
|
`GITEA_TOKEN` only for the local publish command, then unset it.
|
||||||
- When upgrading GoReleaser, update its pinned version and four archive
|
- When upgrading GoReleaser, update its pinned version and four archive
|
||||||
checksums in `scripts/release-local.sh` from the official checksum file.
|
checksums in `scripts/release-local.sh` from the official checksum file.
|
||||||
- Permit release attachment MIME types for `.tar.gz`, `.zip`, and `.txt` in
|
- Permit release attachment MIME types for `.tar.gz`, `.zip`, and `.txt` in
|
||||||
@@ -49,7 +52,8 @@ default skill destinations while preserving unrelated user files.
|
|||||||
injected into the binaries automatically.
|
injected into the binaries automatically.
|
||||||
2. Run `scripts/release-local.sh --snapshot` and inspect the artifacts.
|
2. Run `scripts/release-local.sh --snapshot` and inspect the artifacts.
|
||||||
3. Create a signed semantic-version tag such as `v0.1.0-alpha.1` and push it.
|
3. Create a signed semantic-version tag such as `v0.1.0-alpha.1` and push it.
|
||||||
4. Export a locally stored, scoped token: `export GITEA_TOKEN=...`.
|
4. Read a pre-provisioned, locally stored scoped token into `GITEA_TOKEN`.
|
||||||
|
Do not generate a task-specific token from an agent session.
|
||||||
5. Run `scripts/release-local.sh --publish`. It reruns race tests, vet, installer
|
5. Run `scripts/release-local.sh --publish`. It reruns race tests, vet, installer
|
||||||
checks, builds six platform archives, generates `checksums.txt`, and uploads
|
checks, builds six platform archives, generates `checksums.txt`, and uploads
|
||||||
a draft without executing build work on the Gitea server.
|
a draft without executing build work on the Gitea server.
|
||||||
|
|||||||
+3
-1
@@ -38,7 +38,9 @@ public key independently. Checksum signing is listed as a launch gate in the
|
|||||||
Release builds execute on a maintainer machine, not on the Gitea server. Use a
|
Release builds execute on a maintainer machine, not on the Gitea server. Use a
|
||||||
trusted, patched machine; keep the release token out of shell history and source
|
trusted, patched machine; keep the release token out of shell history and source
|
||||||
files; scope it to the Hop repository; export it only for the publish command;
|
files; scope it to the Hop repository; export it only for the publish command;
|
||||||
and unset it immediately afterward. Releases upload as drafts for review.
|
and unset it immediately afterward. Releases upload as drafts for review. The
|
||||||
|
token must be provisioned by the user outside the agent session: Hop and its
|
||||||
|
agents never create, rotate, list, or revoke provider account tokens.
|
||||||
|
|
||||||
## Filesystem safety
|
## Filesystem safety
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user