Add secure password delivery for Forgejo provisioning

Write credentials to ~/.forgejo-credentials (JSON, mode 600) when creating new Forgejo users. Onboarding message points to file instead of showing password in terminal output. Addresses ops-jrz1-ofw. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 10:02:57 -08:00 · 2026-01-09 10:02:57 -08:00 · aca792a51d
parent 1575e44ca2
commit aca792a51d
1 changed files with 26 additions and 4 deletions
--- a/scripts/dev-add.sh
+++ b/scripts/dev-add.sh
@ -216,14 +216,34 @@ provision_forgejo() {
            \"send_notify\": false
        }" 2>/dev/null) || true

+    local user_created=false
    if [[ "$http_code" == "201" ]]; then
        log_info "Forgejo user created"
+        user_created=true
    elif [[ "$http_code" == "422" ]]; then
        log_info "Forgejo user already exists"
    else
        log_warn "Forgejo user creation returned HTTP $http_code (may already exist)"
    fi

+    # Write credentials file (only if we created the user and know the password)
+    if [[ "$user_created" == true ]]; then
+        local creds_file="/home/$username/.forgejo-credentials"
+        cat > "$creds_file" << EOF
+{
+  "service": "forgejo",
+  "url": "https://git.clarun.xyz",
+  "username": "$username",
+  "initial_password": "$random_pass",
+  "must_change_password": true,
+  "note": "Delete this file after first login: rm ~/.forgejo-credentials"
+}
+EOF
+        chmod 600 "$creds_file"
+        chown "$username:users" "$creds_file"
+        log_info "Credentials written to ~/.forgejo-credentials"
+    fi
+
    # Upload SSH key to Forgejo (ignore if already exists)
    http_code=$(curl -s -o /dev/null -w "%{http_code}" \
        -X POST "$forgejo_url/api/v1/admin/users/$username/keys" \
@ -277,11 +297,13 @@ print_onboarding() {
    echo ""
    echo "## Git Access"
    echo ""
-    echo "   Clone repos from git.clarun.xyz:"
-    echo "   git clone git@git.clarun.xyz:dan/repo-name.git"
+    echo "   Clone repos: git clone git@git.clarun.xyz:org/repo.git"
    echo ""
-    echo "   Your Forgejo account: $username"
-    echo "   Web UI: https://git.clarun.xyz (reset password on first login)"
+    echo "   Forgejo account: $username"
+    echo "   Credentials file: ~/.forgejo-credentials"
+    echo "   Web UI: https://git.clarun.xyz"
+    echo ""
+    echo "   Note: Change password on first login, then delete credentials file"
    echo ""
    echo "## Tools Available"
    echo "   System: python3, uv, git, bun, node, opencode, bd"