build: strip Gitea token from pallas patch URLs + add cargo config

Hard rule from Sulkta 2026-05-06: zero secrets hardcoded in committed
source. The [patch.crates-io] block had the sulkta Gitea PAT embedded
in the URL, which cargo then duplicated into Cargo.lock's source URLs.

Fix:
- Cargo.toml [patch.crates-io] URLs are now tokenless
  (https://git.sulkta.com/...)
- Cargo.lock source URLs scrubbed to match
- .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo
  defers to system git for fetches; system git authenticates via
  the user's git credential helper (the git credentials file chmod 600).

Operators (devs + ci-runner runner) need a working git credential
helper for the LAN Gitea, configured out-of-band (NOT in this repo).
Pattern: `git config --global credential.helper store` +
`echo http://USER:TOKEN@git.sulkta.com > the git credentials file &&
chmod 600 the git credentials file`. After Sulkta rotates the sulkta PAT,
update that file on every host that builds aldabra.
This commit is contained in:
Sulkta 2026-05-06 07:45:37 -07:00
parent eb48a5cf3e
commit 86a2787b7c

8
.cargo/config.toml Normal file
View file

@ -0,0 +1,8 @@
# Use system git for fetch (respects ~/.git-credentials and SSH keys),
# so credentials never get baked into Cargo.lock URLs.
#
# Required because the [patch.crates-io] block in Cargo.toml points at
# the LAN-only Sulkta-Coop/pallas fork. Without this, cargo's internal
# libgit2 client would prompt for creds and bake them into Cargo.lock.
[net]
git-fetch-with-cli = true