build: strip Gitea token from pallas patch URLs + add cargo config
Hard rule from Sulkta 2026-05-06: zero secrets hardcoded in committed source. The [patch.crates-io] block had the sulkta Gitea PAT embedded in the URL, which cargo then duplicated into Cargo.lock's source URLs. Fix: - Cargo.toml [patch.crates-io] URLs are now tokenless (https://git.sulkta.com/...) - Cargo.lock source URLs scrubbed to match - .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo defers to system git for fetches; system git authenticates via the user's git credential helper (the git credentials file chmod 600). Operators (devs + ci-runner runner) need a working git credential helper for the LAN Gitea, configured out-of-band (NOT in this repo). Pattern: `git config --global credential.helper store` + `echo http://USER:TOKEN@git.sulkta.com > the git credentials file && chmod 600 the git credentials file`. After Sulkta rotates the sulkta PAT, update that file on every host that builds aldabra.
This commit is contained in:
parent
eb48a5cf3e
commit
86a2787b7c
1 changed files with 8 additions and 0 deletions
8
.cargo/config.toml
Normal file
8
.cargo/config.toml
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
# Use system git for fetch (respects ~/.git-credentials and SSH keys),
|
||||
# so credentials never get baked into Cargo.lock URLs.
|
||||
#
|
||||
# Required because the [patch.crates-io] block in Cargo.toml points at
|
||||
# the LAN-only Sulkta-Coop/pallas fork. Without this, cargo's internal
|
||||
# libgit2 client would prompt for creds and bake them into Cargo.lock.
|
||||
[net]
|
||||
git-fetch-with-cli = true
|
||||
Loading…
Add table
Add a link
Reference in a new issue