brooktrails/directory-pacifier
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): Fetch Harbor push creds from OpenBao, not Forgejo secrets #10

Merged
rcsheets merged 1 commit from fix/harbor-login-openbao into main 2026-04-18 04:40:37 +00:00
Conversation 1 Commits 1 Files changed 1 +18 -5
rcsheets commented 2026-04-18 04:33:41 +00:00
Owner
Copy link

The workflow referenced secrets.HARBOR_USERNAME/HARBOR_PASSWORD which
aren't configured on this repo. Switch to the same Kubernetes-auth +
OpenBao pattern used by pr-reviewer and front-door: the runner pod's
ServiceAccount token logs into OpenBao via the shared
harbor-push-brooktrails role and reads creds from
secret/data/forgejo-runners/brooktrails/harbor-push.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

The workflow referenced secrets.HARBOR_USERNAME/HARBOR_PASSWORD which aren't configured on this repo. Switch to the same Kubernetes-auth + OpenBao pattern used by pr-reviewer and front-door: the runner pod's ServiceAccount token logs into OpenBao via the shared harbor-push-brooktrails role and reads creds from secret/data/forgejo-runners/brooktrails/harbor-push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fetch Harbor push creds from OpenBao, not Forgejo secrets
Some checks failed
test / schema-test (pull_request) Waiting to run
Details
test / go-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
4e88fd18d5 
The workflow referenced secrets.HARBOR_USERNAME/HARBOR_PASSWORD which
aren't configured on this repo. Switch to the same Kubernetes-auth +
OpenBao pattern used by pr-reviewer and front-door: the runner pod's
ServiceAccount token logs into OpenBao via the shared
harbor-push-brooktrails role and reads creds from
secret/data/forgejo-runners/brooktrails/harbor-push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-18 04:33:43 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id r-e309a7-89c676
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The change replaces undefined Forgejo secrets with a proper OpenBao credential fetch pattern that follows established patterns in the organization.
Complexity: moderate

Safety Check Review

This PR updates the Harbor login workflow to fetch credentials from OpenBao instead of undefined Forgejo secrets. The change appears to be a straightforward fix that:

  • Replaces references to secrets.HARBOR_USERNAME/HARBOR_PASSWORD (which weren't configured) with a proper credential fetch from OpenBao
  • Uses Kubernetes ServiceAccount authentication to OpenBao via a shared role
  • Follows the same pattern used by other services (pr-reviewer and front-door) in the organization
  • Only runs on main branch pushes, maintaining the same security boundary

The implementation looks correct - it authenticates to OpenBao, fetches the Harbor credentials, and uses them for docker login. No obvious security issues or logic errors detected.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.17.0 | Safety Check | Claude Sonnet 4 | tracking id `r-e309a7-89c676`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The change replaces undefined Forgejo secrets with a proper OpenBao credential fetch pattern that follows established patterns in the organization. **Complexity:** moderate ## Safety Check Review This PR updates the Harbor login workflow to fetch credentials from OpenBao instead of undefined Forgejo secrets. The change appears to be a straightforward fix that: - Replaces references to `secrets.HARBOR_USERNAME/HARBOR_PASSWORD` (which weren't configured) with a proper credential fetch from OpenBao - Uses Kubernetes ServiceAccount authentication to OpenBao via a shared role - Follows the same pattern used by other services (pr-reviewer and front-door) in the organization - Only runs on main branch pushes, maintaining the same security boundary The implementation looks correct - it authenticates to OpenBao, fetches the Harbor credentials, and uses them for docker login. No obvious security issues or logic errors detected.
rcsheets changed title from Fetch Harbor push creds from OpenBao, not Forgejo secrets to fix(ci): Fetch Harbor push creds from OpenBao, not Forgejo secrets 2026-04-18 04:33:49 +00:00
rcsheets force-pushed fix/harbor-login-openbao from 4e88fd18d5
Some checks failed
test / schema-test (pull_request) Waiting to run
Details
test / go-test (pull_request) Waiting to run
Details
build / images (controlloop) (pull_request) Has been cancelled
Details
build / images (rpcserver) (pull_request) Has been cancelled
Details
to a95424c64b
All checks were successful
build / images (controlloop) (pull_request) Successful in 1m45s
Details
build / images (rpcserver) (pull_request) Successful in 1m38s
Details
test / go-test (pull_request) Successful in 22s
Details
test / schema-test (pull_request) Successful in 52s
Details
2026-04-18 04:34:15 +00:00 Compare
rcsheets deleted branch fix/harbor-login-openbao 2026-04-18 04:40:38 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/directory-pacifier!10
No description provided.