From a3a842138c81dc2e649e0fcde2d0661d0f8ce47d Mon Sep 17 00:00:00 2001 From: Kayos Date: Wed, 6 May 2026 07:45:37 -0700 Subject: [PATCH] build: strip Gitea token from pallas patch URLs + add cargo config Hard rule from Cobb 2026-05-06: zero secrets hardcoded in committed source. The [patch.crates-io] block had the kayos Gitea PAT embedded in the URL, which cargo then duplicated into Cargo.lock's source URLs. Fix: - Cargo.toml [patch.crates-io] URLs are now tokenless (http://192.168.0.5:3001/...) - Cargo.lock source URLs scrubbed to match - .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo defers to system git for fetches; system git authenticates via the user's git credential helper (~/.git-credentials chmod 600). Operators (devs + crafting-table runner) need a working git credential helper for the LAN Gitea, configured out-of-band (NOT in this repo). Pattern: `git config --global credential.helper store` + `echo http://USER:TOKEN@192.168.0.5:3001 > ~/.git-credentials && chmod 600 ~/.git-credentials`. After Cobb rotates the kayos PAT, update that file on every host that builds aldabra. --- .cargo/config.toml | 8 ++++++++ Cargo.lock | 14 +++++++------- Cargo.toml | 14 +++++++------- 3 files changed, 22 insertions(+), 14 deletions(-) create mode 100644 .cargo/config.toml diff --git a/.cargo/config.toml b/.cargo/config.toml new file mode 100644 index 0000000..29463db --- /dev/null +++ b/.cargo/config.toml @@ -0,0 +1,8 @@ +# Use system git for fetch (respects ~/.git-credentials and SSH keys), +# so credentials never get baked into Cargo.lock URLs. +# +# Required because the [patch.crates-io] block in Cargo.toml points at +# the LAN-only Sulkta-Coop/pallas fork. Without this, cargo's internal +# libgit2 client would prompt for creds and bake them into Cargo.lock. +[net] +git-fetch-with-cli = true diff --git a/Cargo.lock b/Cargo.lock index 8246cae..4f3c7a0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1253,7 +1253,7 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "pallas-addresses" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "base58", "bech32", @@ -1268,7 +1268,7 @@ dependencies = [ [[package]] name = "pallas-codec" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "hex", "minicbor", @@ -1279,7 +1279,7 @@ dependencies = [ [[package]] name = "pallas-crypto" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "cryptoxide", "hex", @@ -1293,7 +1293,7 @@ dependencies = [ [[package]] name = "pallas-primitives" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "base58", "bech32", @@ -1308,7 +1308,7 @@ dependencies = [ [[package]] name = "pallas-traverse" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "hex", "itertools", @@ -1324,7 +1324,7 @@ dependencies = [ [[package]] name = "pallas-txbuilder" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "hex", "pallas-addresses", @@ -1341,7 +1341,7 @@ dependencies = [ [[package]] name = "pallas-wallet" version = "0.32.1" -source = "git+http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" +source = "git+http://192.168.0.5:3001/Sulkta-Coop/pallas.git?branch=feat-aux-data#507fd9da15f1239ff2df866e0d7601d4518e83a3" dependencies = [ "bech32", "bip39", diff --git a/Cargo.toml b/Cargo.toml index 37a6908..f0330e8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -101,10 +101,10 @@ rpassword = "7" # against the same commit. PR upstream pending; switch back to # crates.io once merged. [patch.crates-io] -pallas-codec = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-crypto = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-primitives = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-traverse = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-addresses = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-wallet = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } -pallas-txbuilder = { git = "http://kayos:***REDACTED***@192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-codec = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-crypto = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-primitives = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-traverse = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-addresses = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-wallet = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" } +pallas-txbuilder = { git = "http://192.168.0.5:3001/Sulkta-Coop/pallas.git", branch = "feat-aux-data" }