defmodule GitGud.Packages.RegistryToken do
@moduledoc """
A long-lived, repo-scoped token for authenticating to the bundled OCI
registry (zot) outside of CI — e.g. an Argo/keel pull secret, or an
external pipeline pushing images.
Only the SHA-256 `token_hash` is stored; the plaintext (`ggrt_…`) is
shown once at creation. `scopes` is a subset of `pull` / `push`; the
registry token endpoint grants the intersection of these and the
requested actions on the token's own repository.
"""
use Ecto.Schema
import Ecto.Changeset
alias GitGud.Repositories.Repository
@scopes ~w(pull push)
schema "registry_tokens" do
field :name, :string
field :token_hash, :binary, redact: true
field :scopes, {:array, :string}, default: ["pull"]
field :last_used_at, :utc_datetime
belongs_to :repository, Repository
timestamps(type: :utc_datetime)
end
@doc false
def changeset(token, attrs) do
token
|> cast(attrs, [:name, :token_hash, :scopes, :repository_id])
|> validate_required([:name, :token_hash, :repository_id])
|> validate_length(:name, min: 1, max: 100)
|> validate_subset(:scopes, @scopes)
|> validate_length(:scopes, min: 1)
|> unique_constraint(:name, name: :registry_tokens_repository_id_name_index)
|> unique_constraint(:token_hash)
end
@doc "Allowed scope values."
def scopes, do: @scopes
end
1.4 KiB · text
5af55d9