- Fix op read path to use Forgejo Secrets item field zot-ci-api
(was zot-ci-apikey/credential)
- Rewrite zot reference card security model for OIDC + API key auth
- Add API key rotation procedure with impersonation steps and op
oneliner
- Document 90-day key expiry in wire-ci-registry-auth how-to
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The apikey extension was deprecated in zot v2.1.13 — API key
management is now configured under http.auth.apikey, which was
already set.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Zot defaults to using the email claim as username, but service accounts
in Authentik have no email set. Map to preferred_username instead, which
contains the actual username (e.g. "zot-ci").
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The auth.apikey flag enables *using* API keys but the extensions.apikey
section is needed for the UI to show login and key generation options.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enable authentication on the zot registry with OIDC (via Authentik) and
API key support. Add three-tier accessControl: anonymous read, CI create
(artifact-workloads group), admin full access.
Wire both CI push paths with registry credentials:
- Dagger publish() gains optional registry_password/username params
- Nix/skopeo path adds --dest-creds to skopeo copy
The ZOT_CI_API_KEY secret flows from 1Password through the existing
forgejo_actions_secrets ansible role to both runners.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
