release: bump-formula job has been failing on every release

coilysiren commented

2026-05-27 02:20:41 +00:00

Owner

Symptom

The bump-formula job in .forgejo/workflows/release.yml has failed on every release for many consecutive runs - confirmed across at least 5 recent task entries (head SHAs a05c43a, 31e98ca, 3a088ac, 26fd54c, 838fe52). The release job succeeds and tags get cut (v2.42.0 is live), but Formula/coily.rb is stuck pointing at v2.37.2 / 298d627d8d39e4b7f53767b8604141173023cca7.

Net effect: brew users on coily upgrade see no update even though forgejo releases are progressing. Manual formula bump is the workaround.

What we know

The job uses coilysiren/agentic-os/actions/bump-formula@main.
permissions: contents: write is declared on the job.
It runs runs-on: docker.
The forgejo action runner is healthy: sibling jobs (release, windows-assets) on the same runner succeed.

Next steps

Pull the actual failure log from the forgejo Actions UI (API endpoints I tried returned 404).
Diff the action against a known-working consumer.
Once root cause is fixed, manually bump Formula/coily.rb to v2.42.0 if it has not already drifted further.

For now, manually bumping Formula/coily.rb to v2.42.0 so the current release is installable via brew.

**Symptom** The `bump-formula` job in `.forgejo/workflows/release.yml` has failed on every release for many consecutive runs - confirmed across at least 5 recent task entries (head SHAs `a05c43a`, `31e98ca`, `3a088ac`, `26fd54c`, `838fe52`). The `release` job succeeds and tags get cut (v2.42.0 is live), but `Formula/coily.rb` is stuck pointing at `v2.37.2 / 298d627d8d39e4b7f53767b8604141173023cca7`. Net effect: brew users on `coily upgrade` see no update even though forgejo releases are progressing. Manual formula bump is the workaround. **What we know** - The job uses `coilysiren/agentic-os/actions/bump-formula@main`. - `permissions: contents: write` is declared on the job. - It runs `runs-on: docker`. - The forgejo action runner is healthy: sibling jobs (`release`, `windows-assets`) on the same runner succeed. **Next steps** - Pull the actual failure log from the forgejo Actions UI (API endpoints I tried returned 404). - Diff the action against a known-working consumer. - Once root cause is fixed, manually bump `Formula/coily.rb` to `v2.42.0` if it has not already drifted further. For now, manually bumping `Formula/coily.rb` to `v2.42.0` so the current release is installable via brew.

coilysiren referenced this issue

2026-05-27 02:21:25 +00:00

formula: manually bump to v2.42.0 #108

coilysiren referenced this issue from a commit

2026-05-27 02:21:55 +00:00

chore(formula): bump to v2.42.0 [skip ci]

coilysiren referenced this issue

2026-05-27 02:35:15 +00:00

ops forgejo actions: add task list/view/logs verbs #109

coilysiren referenced this issue

2026-05-27 02:48:57 +00:00

formula: manually bump to v2.43.0 #110

coilysiren referenced this issue from a commit

2026-05-27 02:49:35 +00:00

chore(formula): bump to v2.43.0 [skip ci]

coilysiren commented

2026-05-27 03:13:52 +00:00

Author

Owner

Pulled the actual failure log via the new coily ops forgejo actions task logs --repo coilysiren/coily --id 97 verb (#109). Forgejo task 97, bump-formula step:

::error::forgejo formula bump failed: HTTP 500
{"message":"","url":"https://forgejo.coilysiren.me/api/swagger"}

So my earlier auth-scope hypothesis was wrong. The runner reaches Forgejo, the PUT to /api/v1/repos/coilysiren/coily/contents/Formula/coily.rb is accepted (no 401/403), and Forgejo itself returns HTTP 500 with an empty message. The body's url field is just the generic swagger-help link Forgejo's catch-all error path emits, not a real redirect.

Rules out:

Network / DNS from the runner pod to forgejo (request landed)
Token format and scope (would have been 401 or 403)
Action script logic up to and including the PUT call

Candidates to chase next:

Forgejo bug in the Contents PUT path with this exact payload shape (message + content + sha + branch for an existing file)
A payload field this Forgejo version rejects silently with 500 (e.g. base64 line-wrap, missing committer, etc.)
Something subdir-specific to Formula/ in the Contents API

Reproduction plan when time allows: hit the same endpoint manually with the SSM PAT and the same payload, drop fields one at a time, narrow which addition flips it from 200 to 500. Track that under this issue.

Pulled the actual failure log via the new `coily ops forgejo actions task logs --repo coilysiren/coily --id 97` verb (#109). Forgejo task 97, bump-formula step: ``` ::error::forgejo formula bump failed: HTTP 500 {"message":"","url":"https://forgejo.coilysiren.me/api/swagger"} ``` So my earlier auth-scope hypothesis was wrong. The runner reaches Forgejo, the PUT to `/api/v1/repos/coilysiren/coily/contents/Formula/coily.rb` is accepted (no 401/403), and Forgejo itself returns HTTP 500 with an empty `message`. The body's `url` field is just the generic swagger-help link Forgejo's catch-all error path emits, not a real redirect. Rules out: - Network / DNS from the runner pod to forgejo (request landed) - Token format and scope (would have been 401 or 403) - Action script logic up to and including the PUT call Candidates to chase next: - Forgejo bug in the Contents PUT path with this exact payload shape (`message + content + sha + branch` for an existing file) - A payload field this Forgejo version rejects silently with 500 (e.g. base64 line-wrap, missing `committer`, etc.) - Something subdir-specific to `Formula/` in the Contents API Reproduction plan when time allows: hit the same endpoint manually with the SSM PAT and the same payload, drop fields one at a time, narrow which addition flips it from 200 to 500. Track that under this issue.

coilysiren commented

2026-05-27 03:21:13 +00:00

Author

Owner

Reproduced from the Mac with the SSM PAT, same payload shape and same endpoint:

PUT https://forgejo.coilysiren.me/api/v1/repos/coilysiren/coily/contents/Formula/coily.rb
body: {message, content, sha, branch}
-> 200 OK

It commits cleanly (diag commit 6d7fecab1524a1a723bb5154dd9e3a7d17ed1908 on main, no-op tree, [skip ci] so it didn't trigger a release).

That isolates the failure to the runner's auto-issued ${{ github.token }}. The action defaults forgejo_token: ${{ github.token }}. With the SSM-stored PAT in the Authorization header, the same payload returns 200. With the runner's auto-issued token, the same payload returns 500 with an empty message body.

Fix options:

Pass an explicit PAT to the action from a Forgejo Actions secret. The action already supports forgejo_token as an input; this is the documented escape hatch. Lowest-risk fix.
File upstream against Forgejo for "Contents API PUT returns 500 instead of 401/403 when the auto-issued workflow token has insufficient scope." The empty-message 500 is itself a Forgejo bug regardless of auth - it should surface a real error.

Recommendation: do (1) now, file (2) as a separate upstream issue. The action's input default is fine; coily's release.yml just needs to set forgejo_token: ${{ secrets.FORGEJO_PAT }} (or whatever the secret is named) on the bump-formula step, after stashing the SSM-stored token as a Forgejo Actions secret on the repo.

Cleanup note: the no-op diag commit on main is harmless ([skip ci], empty tree). Leaving it rather than force-pushing.

Reproduced from the Mac with the SSM PAT, same payload shape and same endpoint: ``` PUT https://forgejo.coilysiren.me/api/v1/repos/coilysiren/coily/contents/Formula/coily.rb body: {message, content, sha, branch} -> 200 OK ``` It commits cleanly (diag commit `6d7fecab1524a1a723bb5154dd9e3a7d17ed1908` on `main`, no-op tree, `[skip ci]` so it didn't trigger a release). That isolates the failure to the runner's auto-issued `${{ github.token }}`. The action defaults `forgejo_token: ${{ github.token }}`. With the SSM-stored PAT in the Authorization header, the same payload returns 200. With the runner's auto-issued token, the same payload returns 500 with an empty message body. **Fix options:** 1. Pass an explicit PAT to the action from a Forgejo Actions secret. The action already supports `forgejo_token` as an input; this is the documented escape hatch. Lowest-risk fix. 2. File upstream against Forgejo for "Contents API PUT returns 500 instead of 401/403 when the auto-issued workflow token has insufficient scope." The empty-message 500 is itself a Forgejo bug regardless of auth - it should surface a real error. **Recommendation:** do (1) now, file (2) as a separate upstream issue. The action's input default is fine; coily's release.yml just needs to set `forgejo_token: ${{ secrets.FORGEJO_PAT }}` (or whatever the secret is named) on the bump-formula step, after stashing the SSM-stored token as a Forgejo Actions secret on the repo. Cleanup note: the no-op diag commit on main is harmless (`[skip ci]`, empty tree). Leaving it rather than force-pushing.

coilysiren referenced this issue from a commit

2026-05-27 03:29:13 +00:00

ci(release): pass FORGEJO_PAT to bump-formula

coilysiren closed this issue

2026-05-27 03:29:13 +00:00

Rows
Columns

release: bump-formula job has been failing on every release #107