ci(i18n): configure authentication for private Go modules

Sets up git credential configuration and Go environment variables (GOPRIVATE, GONOSUMDB) to enable fetching private modules from git.marketally.com and code.gitcaddy.com during builds. Uses RELEASE_TOKEN secret for authentication and disables public proxy for private repositories.

.gitea/workflows/build.yml

@@ -12,7 +12,9 @@ on:
   workflow_dispatch:
 
 env:
-  GOPROXY: https://proxy.golang.org,direct
+  GOPROXY: direct
+  GOPRIVATE: git.marketally.com,code.gitcaddy.com
+  GONOSUMDB: git.marketally.com,code.gitcaddy.com
   GO_VERSION: "1.25"
 
 jobs:
@@ -29,6 +31,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Configure git for private modules
+        run: |
+          git config --global url."https://token:${{ secrets.RELEASE_TOKEN }}@git.marketally.com/".insteadOf "https://git.marketally.com/"
+
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -58,6 +64,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Configure git for private modules
+        run: |
+          git config --global url."https://token:${{ secrets.RELEASE_TOKEN }}@git.marketally.com/".insteadOf "https://git.marketally.com/"
+
       - name: Setup Go
         uses: actions/setup-go@v5
         with:

crypto/crypto.go

@@ -27,7 +27,9 @@ var (
 
 // Manager handles encryption operations using the master KEK
 type Manager struct {
-	masterKey []byte
+	masterKey      []byte
+	usingFallback  bool // true when using Gitea SECRET_KEY as fallback
+	keySource      string
 }
 
 // NewManager creates a new crypto manager
@@ -39,14 +41,27 @@ func NewManager() *Manager {
 func (m *Manager) LoadMasterKey() error {
 	// Priority: app.ini [vault] > env var > file > gitea secret key
 	key := m.loadFromSettings()
+	if key != nil {
+		m.keySource = "app.ini [vault] MASTER_KEY"
+	}
 	if key == nil {
 		key = m.loadFromEnv()
+		if key != nil {
+			m.keySource = "GITCADDY_VAULT_KEY environment variable"
+		}
 	}
 	if key == nil {
 		key = m.loadFromFile()
+		if key != nil {
+			m.keySource = "key file"
+		}
 	}
 	if key == nil {
 		key = m.loadFromGiteaSecret()
+		if key != nil {
+			m.keySource = "Gitea SECRET_KEY (fallback)"
+			m.usingFallback = true
+		}
 	}
 
 	if len(key) == 0 {
@@ -64,7 +79,7 @@ func (m *Manager) LoadMasterKey() error {
 	}
 
 	m.masterKey = key
-	log.Info("Vault master key loaded successfully")
+	log.Info("Vault master key loaded successfully (source: %s)", m.keySource)
 	return nil
 }
 
@@ -133,6 +148,17 @@ func (m *Manager) HasMasterKey() bool {
 	return len(m.masterKey) > 0
 }
 
+// IsUsingFallbackKey returns true if the master key was loaded from Gitea's SECRET_KEY
+// rather than an explicit vault-specific key configuration.
+func (m *Manager) IsUsingFallbackKey() bool {
+	return m.usingFallback
+}
+
+// KeySource returns a human-readable description of where the master key was loaded from.
+func (m *Manager) KeySource() string {
+	return m.keySource
+}
+
 // Encrypt encrypts plaintext using AES-256-GCM
 // Returns: nonce || ciphertext || tag
 func (m *Manager) Encrypt(plaintext []byte, key []byte) ([]byte, error) {
@@ -239,6 +265,16 @@ func HasMasterKey() bool {
 	return defaultManager.HasMasterKey()
 }
 
+// IsUsingFallbackKey checks if the default manager is using Gitea's SECRET_KEY as fallback
+func IsUsingFallbackKey() bool {
+	return defaultManager.IsUsingFallbackKey()
+}
+
+// KeySource returns the key source of the default manager
+func KeySource() string {
+	return defaultManager.KeySource()
+}
+
 // EncryptWithMasterKey encrypts using the default manager
 func EncryptWithMasterKey(plaintext []byte) ([]byte, error) {
 	return defaultManager.EncryptWithMasterKey(plaintext)

locale/locale_en-US.json

@@ -11,6 +11,13 @@
   "vault.config_error_title": "Vault Not Configured",
   "vault.config_error_message": "The vault encryption key has not been configured. Secrets cannot be encrypted or decrypted.",
   "vault.config_error_fix": "Add MASTER_KEY to the [vault] section in app.ini or set the GITCADDY_VAULT_KEY environment variable.",
+  "vault.fallback_key_warning_title": "Vault Using Fallback Encryption Key",
+  "vault.fallback_key_warning_message": "The vault is currently using Gitea's SECRET_KEY for encryption because no dedicated vault key has been configured. If the SECRET_KEY is ever changed or lost, all vault secrets will become permanently unreadable.",
+  "vault.fallback_key_warning_fix": "To fix this, copy the current SECRET_KEY value and set it as MASTER_KEY in the [vault] section of app.ini, or set the GITCADDY_VAULT_KEY environment variable. This ensures vault encryption remains stable even if the SECRET_KEY changes.",
+  "vault.decryption_error_title": "Vault Decryption Failed",
+  "vault.decryption_error_message": "Unable to decrypt vault secrets. The encryption key may have been changed or is incorrect.",
+  "vault.decryption_error_fix": "Verify that the MASTER_KEY in the [vault] section of app.ini (or the GITCADDY_VAULT_KEY environment variable) matches the key that was used when the secrets were originally created.",
+  "vault.encryption_error_message": "Unable to encrypt the secret value. The vault encryption key may not be configured correctly.",
   "vault.secret_name": "Name",
   "vault.secret_type": "Type",
   "vault.secret_value": "Secret Value",

plugin.go

@@ -144,6 +144,17 @@ func (p *VaultPlugin) ConfigurationError() string {
 	return ""
 }
 
+// IsUsingFallbackKey returns true if the vault is using Gitea's SECRET_KEY
+// as the encryption key instead of an explicit vault-specific key.
+func (p *VaultPlugin) IsUsingFallbackKey() bool {
+	return crypto.IsUsingFallbackKey()
+}
+
+// KeySource returns a human-readable description of where the master key was loaded from.
+func (p *VaultPlugin) KeySource() string {
+	return crypto.KeySource()
+}
+
 // Ensure VaultPlugin implements all required interfaces
 var (
 	_ plugins.Plugin           = (*VaultPlugin)(nil)