forgejo_admin/pal-e-platform
1
0
Fork 0
Code Issues 33 Pull requests Projects Releases Packages Wiki Activity Actions

fix: rotate woodpecker_api_token GPG block in Salt pillar #210

Merged
forgejo_admin merged 1 commit from issue-86-rotate-woodpecker-token into main 2026-03-28 00:18:21 +00:00
Conversation 1 Commits 1 Files changed 1 +16 -16
forgejo_admin commented 2026-03-28 00:17:29 +00:00
Owner
Copy link

Summary

The Salt pillar woodpecker_api_token GPG block decrypted to a stale JWT that returned 401 against the Woodpecker API. The correct token was already live in the k8s dora-exporter secret, ~/.mcp.json, and k3s.tfvars -- but the canonical source (Salt pillar) was out of sync. This re-encrypts the working token with GPG key 81A03D1CF874DC90.

Changes

  • salt/pillar/secrets/platform.sls -- replaced woodpecker_api_token PGP ciphertext block with newly encrypted value containing the correct working token

Test Plan

  • Verified the new GPG block decrypts to the correct token via gpg --decrypt
  • Verified the decrypted token returns HTTP 200 from Woodpecker API
  • k3s.tfvars, ~/.mcp.json, and dora-exporter k8s secret already contain this token
  • dora-exporter logs show all-200s against Woodpecker and Forgejo APIs
  • After merge: make tofu-secrets renders the correct value into secrets.auto.tfvars

Manual updates (not in PR, per issue spec)

  • ~/.mcp.json -- already has the correct token
  • dora-exporter k8s secret -- already patched, returning 200s
  • Woodpecker CI repo secret tf_var_woodpecker_api_token -- needs verification

Review Checklist

  • No secrets committed (only GPG-encrypted ciphertext, no plaintext tokens)
  • No unnecessary file changes (single file, single GPG block replacement)
  • Commit message is descriptive

Related Notes

  • Closes #86
  • plan-pal-e-platform -- Phase 17a-6 (token rotation)
  • pal-e-platform -- the project this work belongs to
## Summary The Salt pillar `woodpecker_api_token` GPG block decrypted to a stale JWT that returned 401 against the Woodpecker API. The correct token was already live in the k8s dora-exporter secret, `~/.mcp.json`, and `k3s.tfvars` -- but the canonical source (Salt pillar) was out of sync. This re-encrypts the working token with GPG key `81A03D1CF874DC90`. ## Changes - `salt/pillar/secrets/platform.sls` -- replaced `woodpecker_api_token` PGP ciphertext block with newly encrypted value containing the correct working token ## Test Plan - [x] Verified the new GPG block decrypts to the correct token via `gpg --decrypt` - [x] Verified the decrypted token returns HTTP 200 from Woodpecker API - [x] `k3s.tfvars`, `~/.mcp.json`, and dora-exporter k8s secret already contain this token - [x] dora-exporter logs show all-200s against Woodpecker and Forgejo APIs - [ ] After merge: `make tofu-secrets` renders the correct value into `secrets.auto.tfvars` ### Manual updates (not in PR, per issue spec) - `~/.mcp.json` -- already has the correct token - `dora-exporter` k8s secret -- already patched, returning 200s - Woodpecker CI repo secret `tf_var_woodpecker_api_token` -- needs verification ## Review Checklist - [x] No secrets committed (only GPG-encrypted ciphertext, no plaintext tokens) - [x] No unnecessary file changes (single file, single GPG block replacement) - [x] Commit message is descriptive ## Related Notes - Closes #86 - `plan-pal-e-platform` -- Phase 17a-6 (token rotation) - `pal-e-platform` -- the project this work belongs to
fix: rotate woodpecker_api_token GPG block in Salt pillar
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details
ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful
Details
382cbdb17c 
The Salt pillar had a stale Woodpecker API token that decrypted to a
JWT returning 401 against the Woodpecker API. Re-encrypted the correct
working token (already live in k8s and ~/.mcp.json) with GPG key
81A03D1CF874DC90 so that `make tofu-secrets` renders the valid value.

Closes #86

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-28 00:18:06 +00:00
Author
Owner
Copy link

QA Review -- PR #210

Scope

Single file change: salt/pillar/secrets/platform.sls. Replaces the GPG-encrypted ciphertext block for woodpecker_api_token (16 lines removed, 16 lines added).

Findings

Security

  • No plaintext secrets in the diff -- only PGP ciphertext. Correct.
  • GPG recipient 81A03D1CF874DC90 matches the constraint in issue #86.
  • The -----BEGIN PGP MESSAGE----- / -----END PGP MESSAGE----- envelope is intact.

Structure

  • YAML indentation unchanged (6-space indent for ciphertext body). Correct.
  • Surrounding keys (keycloak_admin_password above, woodpecker_db_password below) untouched. Correct.
  • The #!yaml|gpg renderer directive at file top is preserved.

Validation

  • PR body confirms the new block was decrypted and verified against the Woodpecker API (HTTP 200).
  • PR body confirms the token matches what is already live in k8s, ~/.mcp.json, and k3s.tfvars.
  • Post-merge action noted: make tofu-secrets to re-render secrets.auto.tfvars.

PR Body

  • All required template sections present (Summary, Changes, Test Plan, Review Checklist, Related Notes).
  • Closes #86 present for auto-close.

Nits

None.

VERDICT: APPROVE

## QA Review -- PR #210 ### Scope Single file change: `salt/pillar/secrets/platform.sls`. Replaces the GPG-encrypted ciphertext block for `woodpecker_api_token` (16 lines removed, 16 lines added). ### Findings **Security** - No plaintext secrets in the diff -- only PGP ciphertext. Correct. - GPG recipient `81A03D1CF874DC90` matches the constraint in issue #86. - The `-----BEGIN PGP MESSAGE-----` / `-----END PGP MESSAGE-----` envelope is intact. **Structure** - YAML indentation unchanged (6-space indent for ciphertext body). Correct. - Surrounding keys (`keycloak_admin_password` above, `woodpecker_db_password` below) untouched. Correct. - The `#!yaml|gpg` renderer directive at file top is preserved. **Validation** - PR body confirms the new block was decrypted and verified against the Woodpecker API (HTTP 200). - PR body confirms the token matches what is already live in k8s, `~/.mcp.json`, and `k3s.tfvars`. - Post-merge action noted: `make tofu-secrets` to re-render `secrets.auto.tfvars`. **PR Body** - All required template sections present (Summary, Changes, Test Plan, Review Checklist, Related Notes). - `Closes #86` present for auto-close. ### Nits None. --- **VERDICT: APPROVE**
forgejo_admin deleted branch issue-86-rotate-woodpecker-token 2026-03-28 00:18:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform!210
No description provided.