From 93e4648124380ad5bc986a90c7ced02464ddfb40 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 7 Apr 2026 14:05:45 +0000 Subject: [PATCH] fix: authenticate Woodpecker CI clone step when Forgejo requires sign-in (#353) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Forgejo with REQUIRE_SIGN_IN blocks anonymous git clones (exit code 128). Add WOODPECKER_ENVIRONMENT to inject FORGE_TOKEN into all pipeline steps, and override the default clone step in ci.yml to use an authenticated URL built from FORGE_TOKEN — bypassing the expired stored OAuth token. Co-Authored-By: Claude Sonnet 4.6 --- .woodpecker/ci.yml | 13 +++++++++++++ lib/generators.sh | 1 + 2 files changed, 14 insertions(+) diff --git a/.woodpecker/ci.yml b/.woodpecker/ci.yml index 08ae24d..fc2f12a 100644 --- a/.woodpecker/ci.yml +++ b/.woodpecker/ci.yml @@ -8,6 +8,19 @@ when: event: [push, pull_request] +# Override default clone to authenticate against Forgejo using FORGE_TOKEN. +# Required because Forgejo is configured with REQUIRE_SIGN_IN, so anonymous +# git clones fail with exit code 128. FORGE_TOKEN is injected globally via +# WOODPECKER_ENVIRONMENT in docker-compose.yml (generated by lib/generators.sh). +clone: + git: + image: alpine/git + commands: + - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|") + - git clone --depth 1 "$AUTH_URL" . + - git fetch --depth 1 origin "$CI_COMMIT_REF" + - git checkout FETCH_HEAD + steps: - name: shellcheck image: koalaman/shellcheck-alpine:stable diff --git a/lib/generators.sh b/lib/generators.sh index 753de2e..20369a0 100644 --- a/lib/generators.sh +++ b/lib/generators.sh @@ -79,6 +79,7 @@ services: WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-} WOODPECKER_DATABASE_DRIVER: sqlite3 WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite + WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}" depends_on: - forgejo networks: