.woodpecker/ci.yml

@@ -8,6 +8,19 @@
 when:
   event: [push, pull_request]
 
+# Override default clone to authenticate against Forgejo using FORGE_TOKEN.
+# Required because Forgejo is configured with REQUIRE_SIGN_IN, so anonymous
+# git clones fail with exit code 128. FORGE_TOKEN is injected globally via
+# WOODPECKER_ENVIRONMENT in docker-compose.yml (generated by lib/generators.sh).
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 1 "$AUTH_URL" .
+      - git fetch --depth 1 origin "$CI_COMMIT_REF"
+      - git checkout FETCH_HEAD
+
 steps:
   - name: shellcheck
     image: koalaman/shellcheck-alpine:stable

docker/edge/entrypoint-edge.sh

@@ -5,11 +5,13 @@ set -euo pipefail
 export USER="${USER:-root}"
 
 DISINTO_VERSION="${DISINTO_VERSION:-main}"
-DISINTO_REPO="${FORGE_URL:-http://forgejo:3000}/${FORGE_REPO:-disinto-admin/disinto}.git"
+FORGE_URL="${FORGE_URL:-http://forgejo:3000}"
+FORGE_REPO="${FORGE_REPO:-disinto-admin/disinto}"
 
-# Shallow clone at the pinned version
+# Shallow clone at the pinned version (inject token to support auth-required Forgejo)
 if [ ! -d /opt/disinto/.git ]; then
-  git clone --depth 1 --branch "$DISINTO_VERSION" "$DISINTO_REPO" /opt/disinto
+  _auth_url=$(printf '%s' "$FORGE_URL" | sed "s|://|://token:${FORGE_TOKEN}@|")
+  git clone --depth 1 --branch "$DISINTO_VERSION" "${_auth_url}/${FORGE_REPO}.git" /opt/disinto
 fi
 
 # Start dispatcher in background

lib/generators.sh

@@ -79,6 +79,7 @@ services:
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
       WOODPECKER_DATABASE_DRIVER: sqlite3
       WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
+      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
     depends_on:
       - forgejo
     networks: