Hard rule from Sulkta 2026-05-06: zero secrets hardcoded in committed source. The [patch.crates-io] block had the sulkta Gitea PAT embedded in the URL, which cargo then duplicated into Cargo.lock's source URLs. Fix: - Cargo.toml [patch.crates-io] URLs are now tokenless (https://git.sulkta.com/...) - Cargo.lock source URLs scrubbed to match - .cargo/config.toml adds [net] git-fetch-with-cli = true so cargo defers to system git for fetches; system git authenticates via the user's git credential helper (the git credentials file chmod 600). Operators (devs + ci-runner runner) need a working git credential helper for the LAN Gitea, configured out-of-band (NOT in this repo). Pattern: `git config --global credential.helper store` + `echo http://USER:TOKEN@git.sulkta.com > the git credentials file && chmod 600 the git credentials file`. After Sulkta rotates the sulkta PAT, update that file on every host that builds aldabra. |
||
|---|---|---|
| .. | ||
| config.toml | ||