deemanone/beanflows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use GitLab project access token instead of SSH deploy key

Browse Source 
More secure approach:
- Uses HTTPS with token instead of SSH keys
- Token can be rotated without touching infrastructure
- Scoped to read_repository only
- Token stored in Pulumi ESC (beanflows/prod)

Setup:
1. Create project access token in GitLab with read_repository scope
2. Add GITLAB_READ_TOKEN to Pulumi ESC
3. Bootstrap script will use it for git clone/pull
This commit is contained in:
Deeman
2025-10-13 20:37:28 +02:00
parent f46fd53d38
commit 21f99767bf
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
infra/bootstrap_supervisor.sh
View File

@@ -26,9 +26,18 @@ if [ "$EUID" -ne 0 ]; then
fi fi
# Configuration # Configuration
REPO_URL="${REPO_URL:-git@gitlab.com:deemanone/materia.git}"
MATERIA_DIR="/opt/materia" MATERIA_DIR="/opt/materia"
REPO_DIR="$MATERIA_DIR/repo" REPO_DIR="$MATERIA_DIR/repo"
GITLAB_PROJECT="deemanone/materia"
# GITLAB_READ_TOKEN should be set in Pulumi ESC (beanflows/prod)
if [ -z "${GITLAB_READ_TOKEN:-}" ]; then
echo "ERROR: GITLAB_READ_TOKEN environment variable not set"
echo "Please add it to Pulumi ESC (beanflows/prod) first"
exit 1
fi
REPO_URL="https://gitlab-ci-token:${GITLAB_READ_TOKEN}@gitlab.com/${GITLAB_PROJECT}.git"
echo "--- Installing system dependencies ---" echo "--- Installing system dependencies ---"
apt-get update apt-get update