[Security] Develop an Automatic Token Rotation Script for Gitea Agent Credentials #1421

New Issue

Timmy · 2026-03-24T13:04:37Z

Timmy commented

2026-03-24 13:04:37 +00:00

Context: Gitea API tokens possess no automated expiry loop.

Acceptance Criteria:

Integrate a 30-day token rotation protocol using Gitea integration commands.
Revoke previous token post-rotation.

**Context:** Gitea API tokens possess no automated expiry loop. **Acceptance Criteria:** - Integrate a 30-day token rotation protocol using Gitea integration commands. - Revoke previous token post-rotation.

Timmy commented

2026-03-24 14:45:21 +00:00

Implementation Plan for Token Rotation Script

Priority: HIGH - Security vulnerability (plaintext tokens with no rotation)

Files to Create/Modify:

scripts/rotate-gitea-tokens.sh - Main rotation script
scripts/ops-helpers.sh - Add token rotation helper function
.github/workflows/token-rotation.yml or cron job setup

Implementation Steps:

Create Token Rotation Script (scripts/rotate-gitea-tokens.sh):
- Generate new Gitea API token via API call
- Update ~/.hermes/gitea_token atomically (write to temp file, then rename)
- Revoke old token via API
- Log rotation events with timestamps
- Include error handling and rollback on failure
Add Ops Helper Function (scripts/ops-helpers.sh):
- Add rotate_gitea_token() function
- Include validation for token format and permissions
- Add verify_token_permissions() helper
Automation Setup:
- Create cron job or GitHub Action for weekly rotation
- Include notification on rotation failure
- Test in staging environment first

Key Security Requirements:

Atomic file operations (no partial writes)
Proper file permissions (600 for token files)
Secure cleanup of old tokens
Comprehensive error logging
Rollback capability on failure

Testing:

Verify new token works before revoking old one
Test with invalid credentials
Test file permission scenarios
Verify cron job integration

Acceptance Criteria Met When:

Script successfully rotates tokens without service interruption
Old tokens are properly revoked
Process is fully automated (weekly cron job)
Comprehensive error handling and logging
Documentation updated

This addresses a critical security gap - plaintext tokens with no expiry/rotation cycle.

## Implementation Plan for Token Rotation Script **Priority**: HIGH - Security vulnerability (plaintext tokens with no rotation) **Files to Create/Modify**: 1. `scripts/rotate-gitea-tokens.sh` - Main rotation script 2. `scripts/ops-helpers.sh` - Add token rotation helper function 3. `.github/workflows/token-rotation.yml` or cron job setup **Implementation Steps**: 1. **Create Token Rotation Script** (`scripts/rotate-gitea-tokens.sh`): - Generate new Gitea API token via API call - Update `~/.hermes/gitea_token` atomically (write to temp file, then rename) - Revoke old token via API - Log rotation events with timestamps - Include error handling and rollback on failure 2. **Add Ops Helper Function** (`scripts/ops-helpers.sh`): - Add `rotate_gitea_token()` function - Include validation for token format and permissions - Add `verify_token_permissions()` helper 3. **Automation Setup**: - Create cron job or GitHub Action for weekly rotation - Include notification on rotation failure - Test in staging environment first **Key Security Requirements**: - Atomic file operations (no partial writes) - Proper file permissions (600 for token files) - Secure cleanup of old tokens - Comprehensive error logging - Rollback capability on failure **Testing**: - Verify new token works before revoking old one - Test with invalid credentials - Test file permission scenarios - Verify cron job integration **Acceptance Criteria Met When**: - Script successfully rotates tokens without service interruption - Old tokens are properly revoked - Process is fully automated (weekly cron job) - Comprehensive error handling and logging - Documentation updated This addresses a critical security gap - plaintext tokens with no expiry/rotation cycle.

kimi was assigned by Timmy

2026-03-24 14:45:21 +00:00

kimi was unassigned by Timmy

2026-03-24 19:32:17 +00:00

Timmy closed this issue

2026-03-24 21:54:07 +00:00

Sign in to join this conversation.

Branches Tags

main

gemini/issue-892

claude/issue-1342

claude/issue-1346

claude/issue-1351

claude/issue-1340

fix/test-llm-triage-syntax

gemini/issue-1014

gemini/issue-932

claude/issue-1277

claude/issue-1139

claude/issue-870

claude/issue-1285

claude/issue-1292

claude/issue-1281

claude/issue-917

claude/issue-1275

claude/issue-925

claude/issue-1019

claude/issue-1094

claude/issue-1019-v3

fix/flaky-vassal-xdist-tests

fix/test-config-env-isolation

claude/issue-1019-v2

claude/issue-957-v2

claude/issue-1218

claude/issue-1217

test/chat-store-unit-tests

claude/issue-1191

claude/issue-1186

claude/issue-957

gemini/issue-936

claude/issue-1065

gemini/issue-976

gemini/issue-1149

claude/issue-1135

claude/issue-1064

gemini/issue-1012

claude/issue-1095

claude/issue-1102

claude/issue-1114

gemini/issue-978

gemini/issue-971

claude/issue-1074

claude/issue-987

claude/issue-1011

feature/internal-monologue

feature/issue-1006

feature/issue-1007

feature/issue-1008

feature/issue-1009

feature/issue-1010

feature/issue-1011

feature/issue-1012

feature/issue-1013

feature/issue-1014

feature/issue-981

feature/issue-982

feature/issue-983

feature/issue-984

feature/issue-985

feature/issue-986

feature/issue-987

feature/issue-993

claude/issue-943

claude/issue-975

claude/issue-989

claude/issue-988

fix/loop-guard-gitea-api-and-queue-validation

feature/lhf-tech-debt-fixes

kimi/issue-753

kimi/issue-714

kimi/issue-716

fix/csrf-check-before-execute

chore/migrate-gitea-to-vps

kimi/issue-640

fix/utcnow-calm-py

kimi/issue-635

kimi/issue-625

fix/router-api-truncated-param

kimi/issue-604

kimi/issue-594

review-fixes

kimi/issue-570

kimi/issue-554

kimi/issue-539

kimi/issue-540

feature/ipad-v1-api

kimi/issue-506

kimi/issue-512

refactor/airllm-doc-cleanup

kimi/issue-513

kimi/issue-514

kimi/issue-500

kimi/issue-492

kimi/issue-490

kimi/issue-459

kimi/issue-472

kimi/issue-473

kimi/issue-462

kimi/issue-463

kimi/issue-454

kimi/issue-445

kimi/issue-446

kimi/issue-431

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#1421