mirror of
https://github.com/terraphim/gitea-infrastructure.git
synced 2026-07-16 00:00:32 +02:00
docs: Update handover with session 4 and 1Password SA lessons
- Document service account read-only limitation - Add session 4 log (1Password token update, task tracking) - Track expired token fix in cto-executive-system#8 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
+20
-5
@@ -380,13 +380,28 @@ GitHub Actions workflows (`sync-to-gitea.yml`, `mirror-check.yml`) were removed
|
||||
- Discovered Gitea creates empty mirror repos on failed async clones (silent failure)
|
||||
- Discovered `service: "git"` fails for private repos; `service: "github"` with valid token works
|
||||
- Mirror interval set to 1 hour, manual sync available via API
|
||||
- Updated HANDOVER.md, lessons-learned.md, and articles with new mirroring approach
|
||||
- Rewrote MIRRORING-GUIDE.md with pull mirror approach and all gotchas
|
||||
- Updated HANDOVER.md and lessons-learned.md
|
||||
|
||||
### Session 4: 1Password Token Update and Task Tracking
|
||||
- Attempted to update `github.personal.token` via `op item edit` -- blocked by service account read-only permissions
|
||||
- Confirmed `op_zesticai_non_prod.sh` sources a SERVICE_ACCOUNT with no write access to TerraphimPlatform vault
|
||||
- Created GitHub issue to track the fix: https://github.com/AlexMikhalev/cto-executive-system/issues/8
|
||||
|
||||
### All Commits (pushed to GitHub, auto-synced to Gitea)
|
||||
- `57eabbb` refactor: Replace GitHub Actions mirroring with Gitea native pull mirror
|
||||
- `0e69456` docs: Update handover with articles, publishing, and new lessons learned
|
||||
- `62e2275` docs: Add articles comparing beads/br/agent-mail with Gitea replacement
|
||||
- `4ff1821` docs: Update handover and add lessons learned
|
||||
- `b67284e` chore: Fix trailing whitespace across project files
|
||||
- `66b305d` feat(gitea-skill): Add integration tests and fix workflow label swap
|
||||
- `1fd202d` feat(gitea-skill): Rewrite Gitea agent skill with verified API patterns
|
||||
|
||||
### Next Steps
|
||||
1. Update `github.personal.token` in 1Password (currently expired)
|
||||
2. Consider adding gitea-mcp or forgejo-mcp as MCP server for Claude Code (see SKILL.md MCP Integration section)
|
||||
3. Create first real milestone and tasks in `terraphim/agent-tasks` for a project
|
||||
4. Consider Phase 4 (disciplined-verification) if more rigorous validation is needed
|
||||
1. Update `github.personal.token` in 1Password manually (service account is read-only) -- tracked in https://github.com/AlexMikhalev/cto-executive-system/issues/8
|
||||
2. Grant write access to `op_zesticai_non_prod` service account on TerraphimPlatform vault
|
||||
3. Consider adding gitea-mcp or forgejo-mcp as MCP server for Claude Code (see SKILL.md MCP Integration section)
|
||||
4. Create first real milestone and tasks in `terraphim/agent-tasks` for a project
|
||||
|
||||
## Contacts
|
||||
|
||||
|
||||
@@ -160,3 +160,21 @@
|
||||
1. **Simplest mirroring wins** -- Gitea pull mirror is one API call to set up, zero maintenance, and replaces two GitHub Actions workflows plus a monitoring check.
|
||||
|
||||
2. **Use `gh auth token` as GitHub token source** -- more reliable than maintaining a separate PAT in 1Password. The `gh` CLI handles token refresh automatically.
|
||||
|
||||
## Session: 2026-02-18 -- 1Password Service Account Limitations
|
||||
|
||||
### Technical Discoveries
|
||||
|
||||
1. **1Password service accounts are read-only by default**
|
||||
- `op_zesticai_non_prod.sh` sources a SERVICE_ACCOUNT (type visible via `op whoami`)
|
||||
- Service accounts can `op read` but `op item edit` fails with "Couldn't update the item"
|
||||
- No specific error about permissions -- just a generic failure message
|
||||
- Write access must be granted explicitly in 1Password admin settings per vault
|
||||
|
||||
### Pitfalls to Avoid
|
||||
|
||||
1. **Do not assume `op item edit` works with service accounts** -- test write access before building automation that depends on it. The error message gives no indication that it's a permissions issue.
|
||||
|
||||
### Best Practices Discovered
|
||||
|
||||
1. **Track infrastructure tasks in a central repo** -- Created issue in `AlexMikhalev/cto-executive-system` to track the token update. This prevents losing track of manual steps that couldn't be automated.
|
||||
|
||||
Reference in New Issue
Block a user