Adds a new Credential Security section to DAGGER.md (issue #141)
Documents the current problem: production secrets (ANDROID_KEYSTORE_BASE64, PLAY_STORE_CONFIG_JSON, SSH_PRIVATE_KEY, FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY) live in Codeberg alongside Dagger TLS credentials — a Codeberg breach leaks all of them
Lists four solutions with pros/cons:
Runner-level env vars — store secrets in the Forgejo runner's systemd service; no new infra; Codeberg holds only Dagger TLS certs
Secret files on CI host — chmod 600 files owned by the runner user; OS-enforced access control
Dagger host as orchestrator — CI job triggers pipeline over SSH; secrets never leave the Dagger host
External secret manager (Vault) — full audit trail and rotation; disproportionate for a small project
Includes a recommendation: start with Option 1 or 2, consider Option 3 once the trigger SSH key is the only remaining Codeberg secret
Test plan
Pre-commit hooks pass (dart format, check-fast, dagger-progress-plain, hygiene, layers)
Documentation-only change; no Dart/Flutter code modified
All dagger call mentions in docs include --progress=plain (hook enforced)
## Summary
- Adds a new **Credential Security** section to `DAGGER.md` (issue #141)
- Documents the current problem: production secrets (`ANDROID_KEYSTORE_BASE64`, `PLAY_STORE_CONFIG_JSON`, `SSH_PRIVATE_KEY`, `FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY`) live in Codeberg alongside Dagger TLS credentials — a Codeberg breach leaks all of them
- Lists four solutions with pros/cons:
1. **Runner-level env vars** — store secrets in the Forgejo runner's systemd service; no new infra; Codeberg holds only Dagger TLS certs
2. **Secret files on CI host** — `chmod 600` files owned by the runner user; OS-enforced access control
3. **Dagger host as orchestrator** — CI job triggers pipeline over SSH; secrets never leave the Dagger host
4. **External secret manager (Vault)** — full audit trail and rotation; disproportionate for a small project
- Includes a recommendation: start with Option 1 or 2, consider Option 3 once the trigger SSH key is the only remaining Codeberg secret
## Test plan
- [x] Pre-commit hooks pass (dart format, check-fast, dagger-progress-plain, hygiene, layers)
- [x] Documentation-only change; no Dart/Flutter code modified
- [x] All `dagger call` mentions in docs include `--progress=plain` (hook enforced)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Summary
DAGGER.md(issue #141)ANDROID_KEYSTORE_BASE64,PLAY_STORE_CONFIG_JSON,SSH_PRIVATE_KEY,FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY) live in Codeberg alongside Dagger TLS credentials — a Codeberg breach leaks all of themchmod 600files owned by the runner user; OS-enforced access controlTest plan
dagger callmentions in docs include--progress=plain(hook enforced)🤖 Generated with Claude Code