Kayos
a3a842138c
Hard rule from Cobb 2026-05-06: zero secrets hardcoded in committed source. The [patch.crates-io] block had the kayos Gitea PAT embedded in the URL, which cargo then duplicated into Cargo.lock's source URLs. Fix: - Cargo.toml [patch.crates-io] URLs are now tokenless (http://192.168.0.5:3001/...) - Cargo.lock source URLs scrubbed to match - .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo defers to system git for fetches; system git authenticates via the user's git credential helper (~/.git-credentials chmod 600). Operators (devs + crafting-table runner) need a working git credential helper for the LAN Gitea, configured out-of-band (NOT in this repo). Pattern: `git config --global credential.helper store` + `echo http://USER:TOKEN@192.168.0.5:3001 > ~/.git-credentials && chmod 600 ~/.git-credentials`. After Cobb rotates the kayos PAT, update that file on every host that builds aldabra.
8 lines
373 B
TOML
8 lines
373 B
TOML
# Use system git for fetch (respects ~/.git-credentials and SSH keys),
|
|
# so credentials never get baked into Cargo.lock URLs.
|
|
#
|
|
# Required because the [patch.crates-io] block in Cargo.toml points at
|
|
# the LAN-only Sulkta-Coop/pallas fork. Without this, cargo's internal
|
|
# libgit2 client would prompt for creds and bake them into Cargo.lock.
|
|
[net]
|
|
git-fetch-with-cli = true
|