[constGard]

I've added a few more bells and whistles to my agentic rube goldberg, but the gist is forgejo tag listeners triggering argo workflows to orchestrate

1. issue tag

2. write pr

3. testing

4. review+revise loop

5. merge mutex to ensure you don't get a merge storm

6. rebase and merge

I've been trying really hard to have it properly implement agentic identity where the pod gets a spiffe-attested token and then trades that for access to the vault secret for a project-scoped forgejo service account. I wish forgejo could configure a trusted external jwt signing authority so I could skip vault and the accounts.

Here's the inspiration for the auth model I've been trying to implement: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/

The last piece has been using gvisor + kubernetes agent sandboxes. My fable adventure last week was having it debug the process of attesting and distributing workload identities for agents running in gvisor, as it creates a layer of indirection that confuses spire to the point it won't issue an ID.