document the secret and how it is different from the token

.forgejo/workflows/example-docker-compose.yml

@@ -28,6 +28,8 @@ jobs:
         run: |
           set -x
           cd examples/docker-compose
+          secret=$(openssl rand -hex 20)
+          sed -i -e "s/{SHARED_SECRET}/$secret/" compose-forgejo-and-runner.yml
           cli="docker compose -f compose-forgejo-and-runner.yml -f compose-demo-workflow.yml"
           #
           # Launch

examples/docker-compose/README.md

@@ -8,6 +8,20 @@ used by the `Forgejo runner` to execute the workflows.
 
 ### Running
 
+Create a shared secret with:
+
+```sh
+openssl rand -hex 20
+```
+
+Replace all occurences of {SHARED_SECRET} in
+[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
+
+> **NOTE:** a token obtained from the Forgejo web interface cannot be used as a shared secret.
+
+Replace {ROOT_PASSWORD} with a secure password in
+[compose-forgejo-and-runner.yml](compose-forgejo-and-runner.yml).
+
 ```sh
 docker-compose -f compose-forgejo-and-runner.yml up
 Creating docker-compose_docker-in-docker_1 ... done
@@ -27,17 +41,10 @@ To login the Forgejo instance:
 
 * URL: http://0.0.0.0:8080
 * user: root
-* password: admin1234
+* password: {ROOT_PASSWORD}
 
 `Forgejo Actions` is enabled by default when creating a repository.
 
-### Security
-
-This is a demo and **must not be used in production** because:
-
-* the runner secret is hardcoded
-* the admin password is hardcoded to admin1234
-
 ## Tests workflow
 
 The `compose-demo-workflow.yml` compose file runs a demo workflow to

examples/docker-compose/compose-demo-workflow.yml

@@ -25,7 +25,7 @@ services:
       git config user.name username ;
       git commit -m 'demo' ;
       while : ; do
-        git push --set-upstream --force http://root:admin1234@forgejo:3000/root/test main && break ;
+        git push --set-upstream --force http://root:{ROOT_PASSWORD}@forgejo:3000/root/test main && break ;
         sleep 5 ;
       done ;
       sha=`git rev-parse HEAD` ;

examples/docker-compose/compose-forgejo-and-runner.yml

@@ -1,6 +1,19 @@
 # Copyright 2023 The Forgejo Authors.
 # SPDX-License-Identifier: MIT
 
+#
+# Create a secret with:
+#
+#   openssl rand -hex 20
+#
+# Replace all occurences of {SHARED_SECRET} below with the output.
+#
+# NOTE: a token obtained from the Forgejo web interface cannot be used
+#       as a shared secret.
+#
+# Replace {ROOT_PASSWORD} with a secure password
+#
+
 version: "3"
 
 services:
@@ -16,8 +29,8 @@ services:
       bash -c '
       /bin/s6-svscan /etc/s6 &
       sleep 10 ;
-      su -c "forgejo forgejo-cli actions register --secret e3359786173a7aeb3818c19637479c5dbd7c5abb --labels docker --version 3.0.0" git ;
-      su -c "forgejo admin user create --admin --username root --password admin1234 --email root@example.com" git ;
+      su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET} --labels docker --version 3.0.0" git ;
+      su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ;
       sleep infinity
       '
     environment:
@@ -45,7 +58,7 @@ services:
     command: >-
       bash -c '
       while : ; do
-        forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret e3359786173a7aeb3818c19637479c5dbd7c5abb && break ;
+        forgejo-runner create-runner-file --instance http://forgejo:3000 --name runner --secret {SHARED_SECRET} && break ;
         sleep 1 ;
       done ;
       forgejo-runner generate-config > config.yml ;