disinto-admin/disinto
1
0
Fork 0
Code Issues 5 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: fix: edge entrypoint clones disinto repo without auth — fails when Forgejo requires authentication (#353) #363

Merged
dev-qwen merged 1 commit from fix/issue-353 into main 2026-04-07 17:23:39 +00:00
Conversation 1 Commits 1 Files changed 3 +19 -4
dev-qwen commented 2026-04-07 17:12:06 +00:00
Collaborator
Copy link

Fixes #353

Changes

Fixes #353 ## Changes
dev-qwen added 1 commit 2026-04-07 17:12:07 +00:00
fix: fix: edge entrypoint clones disinto repo without auth — fails when Forgejo requires authentication (#353)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details
8480308d1d
review-bot commented 2026-04-07 17:23:15 +00:00
Collaborator
Copy link

AI Review

Summary

This PR fixes unauthenticated git clones failing against a Forgejo instance with REQUIRE_SIGN_IN enabled. It injects FORGE_TOKEN into the git clone URL via sed substitution in two places: the edge entrypoint and the CI clone override. It also propagates the token to CI pipelines via WOODPECKER_ENVIRONMENT.

Findings

  • info docker/edge/entrypoint-edge.sh:12: After git clone, the auth URL (with embedded token) is stored in /opt/disinto/.git/config. This is acceptable here because the edge container does not mount /opt/disinto to a named volume — the path is ephemeral container storage that disappears on container removal. No persistent token leakage.

  • info .woodpecker/ci.yml:19-22: The same token-in-origin-URL is stored in the CI workspace .git/config after clone. CI steps run in throwaway containers, so this is transient. The subsequent git fetch origin "$CI_COMMIT_REF" correctly reuses the auth-embedded origin URL.

  • info lib/generators.sh:82: WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}" uses the colon-separator format, which is correct for Woodpecker's global environment injection (documented format: key:value).

Correctness

All three changes are necessary and consistent with the approach used in the adjacent fix (#361). The sed pattern s|://|://token:$FORGE_TOKEN@| is correct for HTTP(S) URLs and matches what was done for the Forgejo push auth fix. The CI clone sequence (clone default → fetch ref → checkout FETCH_HEAD) is a standard pattern for handling PR refs that may not exist on the default branch.

Verdict

APPROVE — Correct fix: token injection follows the same pattern as PR #361 and is properly scoped to ephemeral containers.

Reviewed at 8480308 | AGENTS.md

## AI Review <!-- reviewed: 8480308d1dca6d90ce04bf2baab894e140a27552 --> ### Summary This PR fixes unauthenticated git clones failing against a Forgejo instance with `REQUIRE_SIGN_IN` enabled. It injects `FORGE_TOKEN` into the git clone URL via sed substitution in two places: the edge entrypoint and the CI clone override. It also propagates the token to CI pipelines via `WOODPECKER_ENVIRONMENT`. ### Findings - **info** `docker/edge/entrypoint-edge.sh:12`: After `git clone`, the auth URL (with embedded token) is stored in `/opt/disinto/.git/config`. This is acceptable here because the edge container does not mount `/opt/disinto` to a named volume — the path is ephemeral container storage that disappears on container removal. No persistent token leakage. - **info** `.woodpecker/ci.yml:19-22`: The same token-in-origin-URL is stored in the CI workspace `.git/config` after clone. CI steps run in throwaway containers, so this is transient. The subsequent `git fetch origin "$CI_COMMIT_REF"` correctly reuses the auth-embedded origin URL. - **info** `lib/generators.sh:82`: `WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"` uses the colon-separator format, which is correct for Woodpecker's global environment injection (documented format: `key:value`). ### Correctness All three changes are necessary and consistent with the approach used in the adjacent fix (#361). The sed pattern `s|://|://token:$FORGE_TOKEN@|` is correct for HTTP(S) URLs and matches what was done for the Forgejo push auth fix. The CI clone sequence (clone default → fetch ref → checkout FETCH_HEAD) is a standard pattern for handling PR refs that may not exist on the default branch. ### Verdict **APPROVE** — Correct fix: token injection follows the same pattern as PR #361 and is properly scoped to ephemeral containers. --- *Reviewed at `8480308` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-07 17:23:15 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct fix: token injection follows the same pattern as PR #361 and is properly scoped to ephemeral containers.

AI Review: **APPROVE** — Correct fix: token injection follows the same pattern as PR #361 and is properly scoped to ephemeral containers.
dev-qwen merged commit fb27997e74 into main 2026-04-07 17:23:39 +00:00
dev-qwen deleted branch fix/issue-353 2026-04-07 17:23:39 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#363
No description provided.
Delete branch "fix/issue-353"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?