From 21f99767bfcb237594925393baace2ec3a08d2fc Mon Sep 17 00:00:00 2001
From: Deeman <hendriknote@gmail.com>
Date: Mon, 13 Oct 2025 20:37:28 +0200
Subject: [PATCH] Use GitLab project access token instead of SSH deploy key

More secure approach:
- Uses HTTPS with token instead of SSH keys
- Token can be rotated without touching infrastructure
- Scoped to read_repository only
- Token stored in Pulumi ESC (beanflows/prod)

Setup:
1. Create project access token in GitLab with read_repository scope
2. Add GITLAB_READ_TOKEN to Pulumi ESC
3. Bootstrap script will use it for git clone/pull
---
 infra/bootstrap_supervisor.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/infra/bootstrap_supervisor.sh b/infra/bootstrap_supervisor.sh
index 87df7b8..d867483 100755
--- a/infra/bootstrap_supervisor.sh
+++ b/infra/bootstrap_supervisor.sh
@@ -26,9 +26,18 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 # Configuration
-REPO_URL="${REPO_URL:-git@gitlab.com:deemanone/materia.git}"
 MATERIA_DIR="/opt/materia"
 REPO_DIR="$MATERIA_DIR/repo"
+GITLAB_PROJECT="deemanone/materia"
+
+# GITLAB_READ_TOKEN should be set in Pulumi ESC (beanflows/prod)
+if [ -z "${GITLAB_READ_TOKEN:-}" ]; then
+    echo "ERROR: GITLAB_READ_TOKEN environment variable not set"
+    echo "Please add it to Pulumi ESC (beanflows/prod) first"
+    exit 1
+fi
+
+REPO_URL="https://gitlab-ci-token:${GITLAB_READ_TOKEN}@gitlab.com/${GITLAB_PROJECT}.git"
 
 echo "--- Installing system dependencies ---"
 apt-get update