A thing that has confused me on a couple of occasions is the 2 similar but distinct kinds of secrets needed for Codeberg pipelines. The key difference to be sensitive to is… there are 2 basic scenarios to account for.
- The forge needs to trigger the pipeline
- The pipeline needs to trigger the forge
To that end, in ci.codeberg.org (woodpecker) there are 2 secrets.
- SSH key (private)
- API token (generated by Codeberg)
While in Codeberg, you need to do the following.
- Store a
Deploy Key(public SSH key) - Generate an API token
How to make an SSH key pair on your local computer for Codeberg
ssh-keygen -t ed25519 -f /tmp/deploy_key -N ""Here’s an ergonomic way to copy those on a Mac
cat /tmp/deploy_key.pub | pbcopy # public key for codeberg.org
cat /tmp/deploy_key | pbcopy # private key (ci.codeberg.org)Where do I put that public key?
Codeberg needs to have the public key as its “Deploy Key”
Project → Settings → Deploy KeysWhat if I’m not on a Mac?
It looks like a common enough thing to alias pbcopy to handle some less ergonomic commands that are more commonly available on Linux like this.
# ~/.bashrc (or whatever is appropriate for you)
alias pbcopy='xclip -selection clipboard'
alias pbpaste='xclip -selection clipboard -o'The API key
The inverse, where you want the pipeline to drive the forge, is afforded by an API key that you generate in Codeberg. For instance, allowing release-plz to push version bump changes from the pipeline back into the repo.
Settings (menu under your avatar) → Applications → Generate TokenNote: you’ll need write:repository granted for this token.
Note created on March 22, 2026
Published by Ryan Parsley