decisions(secops): record gitea cred rotation + SSH auth migration + history scrub
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
2026-07-10 17:37:16 +00:00
parent 0d8adba8c3
commit 25a583d00e

View File

@ -1635,3 +1635,26 @@ Consequence for future enrollments: adding a recipe to `warm.WARM_DOMAINS` autom
canonical on both axes. `prune_stale()`'s "reconciler dirs are never pruned" invariant is now structural
(a `<recipe>/` dir never gains a `canonical.json`) rather than an incidental property that de-enrollment
could falsify.
## 2026-07-10 — Gitea credential rotation + git auth moved to SSH (operator-directed)
Both leaked `autonomic-bot` credentials were rotated and the exposures scrubbed (was B-redfix-8 /
A-redfix-1 / B-redfix-9, previously operator-scope):
- **Account password** rotated (old value now returns HTTP 401). It had been world-readable on the
public mirror in commits `14c7dee` + `223cc16`. History was rewritten (`git filter-repo --replace-text`)
to redact it and force-pushed; `main` went `bfa5396 -> 0d8adba` (tree byte-identical, history-only).
All clones + node `/etc/cc-ci` were reset to the rewritten `main`. Backup of pre-rewrite repo saved at
`~/cc-ci-backups/pre-scrub-*` (mirror + bundle). **Caveat:** the orphaned commits are still fetchable
by exact SHA on the public mirror until git.autonomic.zone runs a site-admin GC (value is dead, so inert).
- **`bridge_gitea_token`** (the oauth2 token, sops `secrets.yaml`) rotated: fresh PAT minted, re-encrypted,
deployed via `nixos-rebuild ?submodules=1`, old token + all 8 other stale PATs revoked. Only one PAT
remains: `cc-ci-bridge-*` (id 36).
**Git auth is now SSH, not HTTP.** git.autonomic.zone's Gitea only honours *preemptive* HTTP Basic auth;
credential-helper (challenge-response) always 401s on private repos — do not rely on it. Remotes are SSH
(`git@git.autonomic.zone:...`, port 2222 via `~/.ssh/config`); dedicated keys `cc-ci-orchestrator-20260710`
(orchestrator, `~/.ssh/autonomic-bot-gitea-ed25519`) and `cc-ci-node-20260710` (node, `/root/.ssh/...`).
`.gitmodules` secrets URL is SSH. `recipe-mirror-sync.sh` pushes over SSH (no token written into recipe
`.git/config` -> fixes the copytree leak). The bot **password stays in `/srv/cc-ci/.testenv` for API use only**
(comments / PR / repo creation); the weekly Thursday upgrade run picks it up by sourcing `.testenv`.
Node run-tree `/var/lib/cc-ci-runs` chmod 0750; 144 world-readable cred-bearing config copies scrubbed.