From 8480308d1dca6d90ce04bf2baab894e140a27552 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Tue, 7 Apr 2026 17:11:59 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20fix:=20edge=20entrypoint=20clones=20disi?=
 =?UTF-8?q?nto=20repo=20without=20auth=20=E2=80=94=20fails=20when=20Forgej?=
 =?UTF-8?q?o=20requires=20authentication=20(#353)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .woodpecker/ci.yml             | 13 +++++++++++++
 docker/edge/entrypoint-edge.sh |  9 +++++----
 lib/generators.sh              |  1 +
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/.woodpecker/ci.yml b/.woodpecker/ci.yml
index 08ae24d..fc2f12a 100644
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -8,6 +8,19 @@
 when:
   event: [push, pull_request]
 
+# Override default clone to authenticate against Forgejo using FORGE_TOKEN.
+# Required because Forgejo is configured with REQUIRE_SIGN_IN, so anonymous
+# git clones fail with exit code 128. FORGE_TOKEN is injected globally via
+# WOODPECKER_ENVIRONMENT in docker-compose.yml (generated by lib/generators.sh).
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 1 "$AUTH_URL" .
+      - git fetch --depth 1 origin "$CI_COMMIT_REF"
+      - git checkout FETCH_HEAD
+
 steps:
   - name: shellcheck
     image: koalaman/shellcheck-alpine:stable
diff --git a/docker/edge/entrypoint-edge.sh b/docker/edge/entrypoint-edge.sh
index 26ae442..d74ae35 100755
--- a/docker/edge/entrypoint-edge.sh
+++ b/docker/edge/entrypoint-edge.sh
@@ -4,12 +4,13 @@ set -euo pipefail
 # Set USER before sourcing env.sh (Alpine doesn't set USER)
 export USER="${USER:-root}"
 
-DISINTO_VERSION="${DISINTO_VERSION:-main}"
-DISINTO_REPO="${FORGE_URL:-http://forgejo:3000}/${FORGE_REPO:-disinto-admin/disinto}.git"
+FORGE_URL="${FORGE_URL:-http://forgejo:3000}"
+FORGE_REPO="${FORGE_REPO:-disinto-admin/disinto}"
 
-# Shallow clone at the pinned version
+# Shallow clone at the pinned version (inject token to support auth-required Forgejo)
 if [ ! -d /opt/disinto/.git ]; then
-  git clone --depth 1 --branch "$DISINTO_VERSION" "$DISINTO_REPO" /opt/disinto
+  _auth_url=$(printf '%s' "$FORGE_URL" | sed "s|://|://token:${FORGE_TOKEN}@|")
+  git clone --depth 1 --branch "${DISINTO_VERSION:-main}" "${_auth_url}/${FORGE_REPO}.git" /opt/disinto
 fi
 
 # Start dispatcher in background
diff --git a/lib/generators.sh b/lib/generators.sh
index 753de2e..20369a0 100644
--- a/lib/generators.sh
+++ b/lib/generators.sh
@@ -79,6 +79,7 @@ services:
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
       WOODPECKER_DATABASE_DRIVER: sqlite3
       WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
+      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
     depends_on:
       - forgejo
     networks: