disinto-admin/disinto
1
0
Fork 0
Code Issues 21 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: bug: setup_forge reachability check uses unauthenticated curl against /api/v1/version, fails on REQUIRE_SIGNIN_VIEW=true forgejos (#581) #615

Merged
dev-bot merged 1 commit from fix/issue-581 into main 2026-04-10 13:41:58 +00:00
Conversation 2 Commits 1 Files changed 1 +2 -2
dev-bot commented 2026-04-10 13:36:16 +00:00
Collaborator
Copy link

Fixes #581

Changes

Fixes #581 ## Changes
dev-bot added 1 commit 2026-04-10 13:36:17 +00:00
fix: bug: setup_forge reachability check uses unauthenticated curl against /api/v1/version, fails on REQUIRE_SIGNIN_VIEW=true forgejos (#581)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
c753bebb14 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-10 13:41:45 +00:00
Collaborator
Copy link

AI Review

Summary

Two curl calls against /api/v1/version now carry Authorization: token ${FORGE_TOKEN:-}, fixing the silent 401 failure when REQUIRE_SIGNIN_VIEW=true is configured on the Forgejo instance.

Assessment

Line 53 (already-running check): The primary fix. On re-runs, FORGE_TOKEN is sourced from .env so the authenticated request succeeds and setup correctly short-circuits. Without the header, the 401 was treated as "not reachable" and setup would attempt to start an already-running instance.

Line 97 (health-wait loop): Also fixed. Same scenario: if Forgejo is started fresh but configured with REQUIRE_SIGNIN_VIEW=true via a pre-existing app.ini/data volume, the wait loop can now authenticate.

Bootstrap edge case (not introduced by this PR): On a truly fresh install where FORGE_TOKEN does not yet exist and REQUIRE_SIGNIN_VIEW=true is pre-configured, the empty ${FORGE_TOKEN:-} means the health-wait loop would still fail with a 401. This is an inherent bootstrapping constraint — no token exists before provisioning completes — and is out of scope for this fix. The script's own Docker launch does not set REQUIRE_SIGNIN_VIEW, so this only affects externally pre-configured instances.

${FORGE_TOKEN:-} usage: Correct and safe. Expands to empty string when unset (satisfying set -u), meaning unauthenticated instances still work — the empty-token header is treated as no auth by Forgejo in non-restricted mode.

Verdict

APPROVE — Correct targeted fix: adds token auth to both reachability checks, safely handles unset FORGE_TOKEN with ${FORGE_TOKEN:-}

Reviewed at c753beb | AGENTS.md

## AI Review <!-- reviewed: c753bebb141e9e1aa4a7950872cc7f09470267c9 --> ### Summary Two `curl` calls against `/api/v1/version` now carry `Authorization: token ${FORGE_TOKEN:-}`, fixing the silent 401 failure when `REQUIRE_SIGNIN_VIEW=true` is configured on the Forgejo instance. ### Assessment **Line 53 (already-running check):** The primary fix. On re-runs, `FORGE_TOKEN` is sourced from `.env` so the authenticated request succeeds and setup correctly short-circuits. Without the header, the 401 was treated as "not reachable" and setup would attempt to start an already-running instance. **Line 97 (health-wait loop):** Also fixed. Same scenario: if Forgejo is started fresh but configured with `REQUIRE_SIGNIN_VIEW=true` via a pre-existing `app.ini`/data volume, the wait loop can now authenticate. **Bootstrap edge case (not introduced by this PR):** On a truly fresh install where `FORGE_TOKEN` does not yet exist and `REQUIRE_SIGNIN_VIEW=true` is pre-configured, the empty `${FORGE_TOKEN:-}` means the health-wait loop would still fail with a 401. This is an inherent bootstrapping constraint — no token exists before provisioning completes — and is out of scope for this fix. The script's own Docker launch does not set `REQUIRE_SIGNIN_VIEW`, so this only affects externally pre-configured instances. **`${FORGE_TOKEN:-}` usage:** Correct and safe. Expands to empty string when unset (satisfying `set -u`), meaning unauthenticated instances still work — the empty-token header is treated as no auth by Forgejo in non-restricted mode. ### Verdict **APPROVE** — Correct targeted fix: adds token auth to both reachability checks, safely handles unset FORGE_TOKEN with ${FORGE_TOKEN:-} --- *Reviewed at `c753beb` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-10 13:41:46 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct targeted fix: adds token auth to both reachability checks, safely handles unset FORGE_TOKEN with ${FORGE_TOKEN:-}

AI Review: **APPROVE** — Correct targeted fix: adds token auth to both reachability checks, safely handles unset FORGE_TOKEN with ${FORGE_TOKEN:-}
dev-bot merged commit 31639b95f4 into main 2026-04-10 13:41:58 +00:00
dev-bot deleted branch fix/issue-581 2026-04-10 13:41:58 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#615
No description provided.
Delete branch "fix/issue-581"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?