docs: require user-provisioned release credentials

cyph3rasi
2026-07-11 15:32:25 -07:00
parent 071891475b
commit 9c09a0b2b1
2 changed files with 10 additions and 4 deletions
+7 -3
@@ -12,8 +12,11 @@ The canonical repository is `githop.xyz/GnosysLabs/Hop`.
- Configure `origin` as `https://githop.xyz/GnosysLabs/Hop.git`.
- Keep Gitea Actions disabled when the instance does not have dedicated runner
capacity; Hop's release process does not depend on it.
- Create a narrowly scoped maintainer access token that can write releases.
Export it as `GITEA_TOKEN` only for the local publish command, then unset it.
- Provision a narrowly scoped maintainer access token outside the agent session
and store it in the operating system's secret store. Agents and release
scripts may use that existing credential, but must never create, rotate, list,
or revoke account tokens through Gitea's website or API. Export it as
`GITEA_TOKEN` only for the local publish command, then unset it.
- When upgrading GoReleaser, update its pinned version and four archive
checksums in `scripts/release-local.sh` from the official checksum file.
- Permit release attachment MIME types for `.tar.gz`, `.zip`, and `.txt` in
@@ -49,7 +52,8 @@ default skill destinations while preserving unrelated user files.
injected into the binaries automatically.
2. Run `scripts/release-local.sh --snapshot` and inspect the artifacts.
3. Create a signed semantic-version tag such as `v0.1.0-alpha.1` and push it.
4. Export a locally stored, scoped token: `export GITEA_TOKEN=...`.
4. Read a pre-provisioned, locally stored scoped token into `GITEA_TOKEN`.
Do not generate a task-specific token from an agent session.
5. Run `scripts/release-local.sh --publish`. It reruns race tests, vet, installer
checks, builds six platform archives, generates `checksums.txt`, and uploads
a draft without executing build work on the Gitea server.
+3 -1
@@ -38,7 +38,9 @@ public key independently. Checksum signing is listed as a launch gate in the
Release builds execute on a maintainer machine, not on the Gitea server. Use a
trusted, patched machine; keep the release token out of shell history and source
files; scope it to the Hop repository; export it only for the publish command;
and unset it immediately afterward. Releases upload as drafts for review.
and unset it immediately afterward. Releases upload as drafts for review. The
token must be provisioned by the user outside the agent session: Hop and its
agents never create, rotate, list, or revoke provider account tokens.
## Filesystem safety