fix: resolve all CI review blockers for forgejo admin bootstrap (#1069)

bin/disinto

@@ -1057,7 +1057,7 @@ _disinto_init_nomad() {
           echo "Error: deploy.sh must run as root and sudo is not installed" >&2
           exit 1
         fi
-        sudo -n -- "${deploy_cmd[@]}" || exit $?
+        sudo -n --preserve-env=FORGE_ADMIN_PASS,FORGE_TOKEN,FORGE_URL -- "${deploy_cmd[@]}" || exit $?
       fi
 
       # Post-deploy: bootstrap Forgejo admin user after forgejo deployment
@@ -1073,7 +1073,7 @@ _disinto_init_nomad() {
               echo "Error: forgejo-bootstrap.sh must run as root and sudo is not installed" >&2
               exit 1
             fi
-            sudo -n -- "$bootstrap_script" || exit $?
+            sudo -n --preserve-env=FORGE_ADMIN_PASS,FORGE_TOKEN,FORGE_URL -- "$bootstrap_script" || exit $?
           fi
         else
           echo "warning: forgejo-bootstrap.sh not found or not executable" >&2

lib/init/nomad/deploy.sh

@@ -263,12 +263,12 @@ for job_name in "${JOBS[@]}"; do
   if ! _wait_job_running "$job_name" "$job_timeout"; then
     log "WARNING: deployment for job '${job_name}' did not reach successful state — continuing with remaining jobs"
     FAILED_JOBS+=("$job_name")
-  fi
-
-  # 5. Run post-deploy scripts
+  else
+    # 5. Run post-deploy scripts (only if job reached healthy state)
     if ! _run_post_deploy "$job_name"; then
       die "post-deploy script failed for job '${job_name}'"
     fi
+  fi
 done
 
 if [ "$DRY_RUN" -eq 1 ]; then

lib/init/nomad/forgejo-bootstrap.sh

@@ -95,7 +95,7 @@ fi
 if [ -z "$FORGE_TOKEN" ]; then
   log "reading FORGE_TOKEN from Vault at kv/disinto/shared/forge/token"
   _hvault_default_env
-  token_raw="$(hvault_get_or_empty "kv/data/disinto/shared/forge/token" 2>/dev/null) || true"
+  token_raw="$(hvault_get_or_empty "kv/data/disinto/shared/forge/token" 2>/dev/null)" || true
   if [ -n "$token_raw" ]; then
     FORGE_TOKEN="$(printf '%s' "$token_raw" | jq -r '.data.data.token // empty' 2>/dev/null)" || true
   fi
@@ -105,29 +105,34 @@ if [ -z "$FORGE_TOKEN" ]; then
   log "forge token loaded from Vault"
 fi
 
-# ── Step 1/2: Check if admin user already exists ─────────────────────────────
-log "── Step 1/2: check if admin user '${FORGE_ADMIN_USER}' exists ──"
-
-# Search for the user via the public API (no auth needed for search)
-user_search_raw=$(curl -sf --max-time 10 \
-  "${FORGE_URL}/api/v1/users/search?q=${FORGE_ADMIN_USER}&limit=1" 2>/dev/null) || {
-  # If search fails (e.g., Forgejo not ready yet), we'll handle it
-  log "warning: failed to search users (Forgejo may not be ready yet)"
-  user_search_raw=""
-}
+# ── Step 1/3: Check if admin user already exists ─────────────────────────────
+log "── Step 1/3: check if admin user '${FORGE_ADMIN_USER}' exists ──"
 
+# Use exact match via GET /api/v1/users/{username} (returns 404 if absent)
+user_lookup_raw=$(curl -sf --max-time 10 \
+  "${FORGE_URL}/api/v1/users/${FORGE_ADMIN_USER}" 2>/dev/null) || {
+  # 404 means user doesn't exist
+  if [ $? -eq 7 ]; then
+    log "admin user '${FORGE_ADMIN_USER}' not found"
     admin_user_exists=false
     user_id=""
+  else
+    # Other curl errors (e.g., network, Forgejo down)
+    log "warning: failed to lookup user (Forgejo may not be ready yet)"
+    admin_user_exists=false
+    user_id=""
+  fi
+}
 
-if [ -n "$user_search_raw" ]; then
-  user_id=$(printf '%s' "$user_search_raw" | jq -r '.data[0].id // empty' 2>/dev/null) || true
-  if [ -n "$user_id" ]; then
+if [ -n "$user_lookup_raw" ]; then
   admin_user_exists=true
+  user_id=$(printf '%s' "$user_lookup_raw" | jq -r '.id // empty' 2>/dev/null) || true
+  if [ -n "$user_id" ]; then
     log "admin user '${FORGE_ADMIN_USER}' already exists (user_id: ${user_id})"
   fi
 fi
 
-# ── Step 2/2: Create admin user if needed ────────────────────────────────────
+# ── Step 2/3: Create admin user if needed ────────────────────────────────────
 if [ "$admin_user_exists" = false ]; then
   log "creating admin user '${FORGE_ADMIN_USER}'"