We are not on top of expiring bot tokens and we usually only notice when
someone else points it out.

It is also a bit cumbersome to add new bot tokens, so avoid the issue
altogether, by just extending the lifetime of the bot tokens
continuously.

Fix #617

The behavior is mentioned in the documentation[1], but gitlab has not
always done it this way (e.g. some of the older project bots still
exist, even though the project tokens expired several months ago).

[1] https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#bot-users-for-projects

This will be used for deleting old packages (i.e. the fortnightly
packages which are older than 90 days). I thought using a job token
would work (as described in [1]), but that turned out not to be the case
as explained in [2].

[1] 242213b2 ("gluebuddy: Remove deleted project bot for arch-boxes")
[2] arch-boxes@48ccb457

This will be used for issue-bot[1][2] similar as it is done in the
signstar project[3].

[1] https://gitlab.com/gitlab-org/distribution/issue-bot
[2] arch-boxes@f0c7c7e7
[3] signstar@4e1cfa1e

This will be used for issue-bot[1] similar as it is done in the
signstar project[2].

[1] signstar#20 (comment 201743)
[2] https://gitlab.com/gitlab-org/distribution/issue-bot

This will be used to create issues for the monthly reports[1][2].

[1]: project-management!1
[2]: project-management#31



Signed-off-by: Christian Heusel <christian@heusel.eu>

The project access token expired ~3 months ago and the CI script has
just been switched to using a job token instead[1]. The project bot user
has zero activity so I decided to delete it.

[1] arch-boxes@afa85791

This will be used for issue-bot[1][2].

[1] signstar#20 (comment 201743)
[2] https://gitlab.com/gitlab-org/distribution/issue-bot

[1] https://gitlab.archlinux.org/archlinux/nvchecker-poc

This will used to increase the level of automation.

Signed-off-by: Christian Heusel <christian@heusel.eu>

There is no reason for this and we very rarely use the console anyway.

Ref #541

The gitlab bot added in [1] expired after one month, so this allowlist
the new bot, which expires after 11 months (gitlab's maximum).

[1] 5fb8df85 ("gluebuddy: Add gitlab bot for aurweb-tfstate project")

Aurweb wants to use terraform to create VMs in the Hetzner cloud sandbox
project and it must store the terraform state somewhere. The state can
be stored in GitLab[1], but unfortunately the access is not very
granular. So to avoid handing the CI pipeline too much access to the
aurweb project, a new project has been created, to store only the
terraform state, and an associated project access token.

[1] https://docs.gitlab.com/ee/user/infrastructure/iac/terraform_state.html

Requested by @torxed to be able to commit from a pipeline.

[1] https://gitlab.archlinux.org/archlinux/teams/mirror-administrator/arch-mirrors

This avoids the issue of ending up with a HTML page that contains a
redirect link if we are not hitting the final endpoint with the
retrieved link.

Sequoia now manages the trust level, so we need to add the fingerprints
and mark those keys trusted before verifying the file.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

This might be a bug in ansible-lint 6.5.0, but it appears to ignore all
our 'skip_ansible_lint' tags. Fix this by replacing them with noqa tags.

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

These are used to signal the start of the document in a stream of many
documents. As Ansible only supports one YAML document per file this is
unnecessary. About a third of our YAML documents already lacked these.