security: harden CI pipeline (pin host keys, suppress ntfy topic, restrict secrets)

2026-03-31 11:03:07 -04:00
parent c556b82f9a
commit 40fa8147e6
4 changed files with 16 additions and 8 deletions
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -140,8 +140,8 @@
    git-crypt-key-dotfiles = {
      file = ../secrets/git-crypt-key-dotfiles.age;
      mode = "0400";
-      owner = "gitea-runner";
-      group = "gitea-runner";
+      owner = "root";
+      group = "root";
    };

    # Git-crypt symmetric key for server-config repo