mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
docs: Update handover with session 4 and 1Password SA lessons
- Document service account read-only limitation - Add session 4 log (1Password token update, task tracking) - Track expired token fix in cto-executive-system#8 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -160,3 +160,21 @@
|
||||
1. **Simplest mirroring wins** -- Gitea pull mirror is one API call to set up, zero maintenance, and replaces two GitHub Actions workflows plus a monitoring check.
|
||||
|
||||
2. **Use `gh auth token` as GitHub token source** -- more reliable than maintaining a separate PAT in 1Password. The `gh` CLI handles token refresh automatically.
|
||||
|
||||
## Session: 2026-02-18 -- 1Password Service Account Limitations
|
||||
|
||||
### Technical Discoveries
|
||||
|
||||
1. **1Password service accounts are read-only by default**
|
||||
- `op_zesticai_non_prod.sh` sources a SERVICE_ACCOUNT (type visible via `op whoami`)
|
||||
- Service accounts can `op read` but `op item edit` fails with "Couldn't update the item"
|
||||
- No specific error about permissions -- just a generic failure message
|
||||
- Write access must be granted explicitly in 1Password admin settings per vault
|
||||
|
||||
### Pitfalls to Avoid
|
||||
|
||||
1. **Do not assume `op item edit` works with service accounts** -- test write access before building automation that depends on it. The error message gives no indication that it's a permissions issue.
|
||||
|
||||
### Best Practices Discovered
|
||||
|
||||
1. **Track infrastructure tasks in a central repo** -- Created issue in `AlexMikhalev/cto-executive-system` to track the token update. This prevents losing track of manual steps that couldn't be automated.
|
||||
|
||||
Reference in New Issue
Block a user