HackerTrans
TopNewTrendsCommentsPastAskShowJobs

constGard

no profile record

comments

constGard
·25 dni temu·discuss
I've added a few more bells and whistles to my agentic rube goldberg, but the gist is forgejo tag listeners triggering argo workflows to orchestrate

1. issue tag

2. write pr

3. testing

4. review+revise loop

5. merge mutex to ensure you don't get a merge storm

6. rebase and merge

I've been trying really hard to have it properly implement agentic identity where the pod gets a spiffe-attested token and then trades that for access to the vault secret for a project-scoped forgejo service account. I wish forgejo could configure a trusted external jwt signing authority so I could skip vault and the accounts.

Here's the inspiration for the auth model I've been trying to implement: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/

The last piece has been using gvisor + kubernetes agent sandboxes. My fable adventure last week was having it debug the process of attesting and distributing workload identities for agents running in gvisor, as it creates a layer of indirection that confuses spire to the point it won't issue an ID.
constGard
·11 miesięcy temu·discuss
They do hire plenty of American citizens, but the lengths they go to hire people on H-1Bs make me think they get something extra out of it. At FB you'd often see big boards of "public job postings" in internal lobbies that I can only assume were to comply with some arbitrary requirement.