From 45b166352c99a926a5e505862e4d8daf6a3841ca Mon Sep 17 00:00:00 2001
From: Hoid <hoid@openclaw>
Date: Tue, 17 Feb 2026 12:09:13 +0000
Subject: [PATCH] Session 48f: CI/CD secrets pipeline

---
 projects/business/memory/sessions.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md
index 2941560..8750e38 100644
--- a/projects/business/memory/sessions.md
+++ b/projects/business/memory/sessions.md
@@ -1146,3 +1146,15 @@
   - Container restarted, verification passed: health OK, Stripe checkout returns valid URL
   - Commit 73fba68 deployed
 - **This was the systemic root cause of recurring checkout failures.** Every `docker compose up -d --build` in a new shell lost the Stripe credentials. Now permanently fixed with `.env` file + CI/CD verification.
+
+## Session 48f — 2026-02-17 11:52-12:10 UTC (CI/CD Secrets Pipeline)
+- **Investor requested:** Move secrets from local .env to Forgejo CI/CD secrets
+- Updated `.forgejo/workflows/deploy.yml` to inject secrets during deploy:
+  - Uses `envs` param + `env` block to pass `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `DATABASE_PASSWORD` from Forgejo secrets
+  - Writes `.env` with `printf` before docker compose build
+  - Fails loudly if any secret value is empty
+- Commit 60efc5e pushed to main
+- **Investor action needed:** Add 3 secrets in Forgejo (Settings → Actions → Secrets):
+  - `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `DATABASE_PASSWORD`
+- Local `.env` on server remains as fallback until CI secrets are configured
+- Note: `openclawd` Forgejo token is read-only (not admin), couldn't add secrets via API