diff options
author | Franck Cuny <franck@fcuny.net> | 2022-06-09 13:54:35 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-06-09 14:10:19 -0700 |
commit | 13ab97b5529fc78f08692e210851413459d96d4f (patch) | |
tree | dd7811a1e866d4905c37d6f5fe27c981a7da78e1 /hosts/tahoe/secrets | |
parent | feat(gerrit-hook): propagate gerrit information in the environment (diff) | |
download | world-13ab97b5529fc78f08692e210851413459d96d4f.tar.gz |
fix(secrets): buildKite agents can read gerrit secrets
We need to ensure the agents can read the secrets / tokens to vote after a build. Change-Id: I066c2482a795b21badaa9cc3c525373d7945b084 Reviewed-on: https://cl.fcuny.net/c/world/+/341 Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'hosts/tahoe/secrets')
-rw-r--r-- | hosts/tahoe/secrets/secrets.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix index 8776e6a..79273b8 100644 --- a/hosts/tahoe/secrets/secrets.nix +++ b/hosts/tahoe/secrets/secrets.nix @@ -21,9 +21,13 @@ in { mode = "0440"; }; + # the owner is gerrit, but we also want the builders to access this + # configuration. "gerrit/hooks.age" = { publicKeys = all; owner = "git"; + group = "buildkite-agents"; + mode = "0440"; }; "syncthing/key.age" = { |