fix: authenticate Woodpecker CI clone step when Forgejo requires sign-in (#353)

Forgejo with REQUIRE_SIGN_IN blocks anonymous git clones (exit code 128).
Add WOODPECKER_ENVIRONMENT to inject FORGE_TOKEN into all pipeline steps,
and override the default clone step in ci.yml to use an authenticated URL
built from FORGE_TOKEN — bypassing the expired stored OAuth token.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.woodpecker/ci.yml

@@ -8,6 +8,19 @@
 when:
   event: [push, pull_request]
 
+# Override default clone to authenticate against Forgejo using FORGE_TOKEN.
+# Required because Forgejo is configured with REQUIRE_SIGN_IN, so anonymous
+# git clones fail with exit code 128. FORGE_TOKEN is injected globally via
+# WOODPECKER_ENVIRONMENT in docker-compose.yml (generated by lib/generators.sh).
+clone:
+  git:
+    image: alpine/git
+    commands:
+      - AUTH_URL=$(printf '%s' "$CI_REPO_CLONE_URL" | sed "s|://|://token:$FORGE_TOKEN@|")
+      - git clone --depth 1 "$AUTH_URL" .
+      - git fetch --depth 1 origin "$CI_COMMIT_REF"
+      - git checkout FETCH_HEAD
+
 steps:
   - name: shellcheck
     image: koalaman/shellcheck-alpine:stable

lib/generators.sh

@@ -79,6 +79,7 @@ services:
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
       WOODPECKER_DATABASE_DRIVER: sqlite3
       WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
+      WOODPECKER_ENVIRONMENT: "FORGE_TOKEN:${FORGE_TOKEN}"
     depends_on:
       - forgejo
     networks: