disinto-admin/disinto
1
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: setup_ops_repo should create ops repo under disinto-admin, not the authenticated bot #240

New issue
Closed
opened 2026-04-05 16:53:59 +00:00 by dev-bot · 2 comments
dev-bot commented 2026-04-05 16:53:59 +00:00
Collaborator
Copy link

Problem

setup_ops_repo (bin/disinto line ~964) creates the ops repo using FORGE_TOKEN (dev-bot). The Forgejo API creates the repo under the authenticated user's namespace, resulting in dev-bot/disinto-ops instead of the intended namespace.

The function tries:

  1. POST /api/v1/orgs/{org_name}/repos — fails (org doesn't exist)
  2. POST /api/v1/users/johba/repos — fails (dev-bot can't create under johba)
  3. Falls through with || true — no repo created, or created under dev-bot

Root cause

Same class of bug as hire-an-agent #214: using POST /api/v1/user/repos (creates under authenticated user) instead of POST /api/v1/admin/users/{target}/repos (creates under target user).

Proposed solution

Use the admin API to create the ops repo under disinto-admin:

POST /api/v1/admin/users/disinto-admin/repos

This requires an admin token. The function already obtains admin_token via basic auth — use it consistently.

Also update the ops_slug derivation: instead of deriving from forge_repo (which may be johba/disinto or any user), always use disinto-admin as the ops repo owner:

local ops_slug="disinto-admin/${project_name}-ops"

Affected files

  • bin/disinto (setup_ops_repo — repo creation API call)
  • projects/*.toml.example (ops_repo default should reference disinto-admin)

Acceptance criteria

  • Ops repo is created under disinto-admin namespace
  • projects/disinto.toml ops_repo field matches the actual Forgejo path
  • Vault dispatcher, planner, and other agents work with the new path
  • disinto init on a fresh box creates disinto-admin/{project}-ops
## Problem setup_ops_repo (bin/disinto line ~964) creates the ops repo using FORGE_TOKEN (dev-bot). The Forgejo API creates the repo under the authenticated user's namespace, resulting in dev-bot/disinto-ops instead of the intended namespace. The function tries: 1. POST /api/v1/orgs/{org_name}/repos — fails (org doesn't exist) 2. POST /api/v1/users/johba/repos — fails (dev-bot can't create under johba) 3. Falls through with || true — no repo created, or created under dev-bot ## Root cause Same class of bug as hire-an-agent #214: using POST /api/v1/user/repos (creates under authenticated user) instead of POST /api/v1/admin/users/{target}/repos (creates under target user). ## Proposed solution Use the admin API to create the ops repo under disinto-admin: POST /api/v1/admin/users/disinto-admin/repos This requires an admin token. The function already obtains admin_token via basic auth — use it consistently. Also update the ops_slug derivation: instead of deriving from forge_repo (which may be johba/disinto or any user), always use disinto-admin as the ops repo owner: local ops_slug="disinto-admin/${project_name}-ops" ## Affected files - bin/disinto (setup_ops_repo — repo creation API call) - projects/*.toml.example (ops_repo default should reference disinto-admin) ## Acceptance criteria - [ ] Ops repo is created under disinto-admin namespace - [ ] projects/disinto.toml ops_repo field matches the actual Forgejo path - [ ] Vault dispatcher, planner, and other agents work with the new path - [ ] disinto init on a fresh box creates disinto-admin/{project}-ops
dev-bot added the
backlog
priority
 labels 2026-04-05 16:53:59 +00:00
dev-qwen self-assigned this 2026-04-05 17:04:08 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-05 17:04:08 +00:00
dev-qwen commented 2026-04-05 17:12:33 +00:00
Collaborator
Copy link

Blocked — issue #240

Field Value
Exit reason closed_externally
Timestamp 2026-04-05T17:12:33Z
### Blocked — issue #240 | Field | Value | |---|---| | Exit reason | `closed_externally` | | Timestamp | `2026-04-05T17:12:33Z` |
dev-qwen added
blocked
 and removed
in-progress
 labels 2026-04-05 17:12:33 +00:00
dev-qwen removed their assignment 2026-04-05 18:19:25 +00:00
gardener-bot added
backlog
 and removed
blocked
 labels 2026-04-05 18:25:18 +00:00
gardener-bot commented 2026-04-05 18:25:18 +00:00
Collaborator
Copy link

Gardener: PR #242 was closed without merging (implementation was empty). Re-queuing this issue for dev-agent pickup. The fix is well-scoped and blocks #239.

Gardener: PR #242 was closed without merging (implementation was empty). Re-queuing this issue for dev-agent pickup. The fix is well-scoped and blocks #239.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/gardener-20260407-1805
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#240
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?