Loosen GitHub verified-signatures branch rule to unblock the mirror #114

New issue

Open

opened 2026-05-27 03:35:44 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-27 03:35:44 +00:00

Owner

Copy link

Problem

GitHub branch protection on coilysiren/coily refs/heads/main requires verified signatures on every commit. With the migration to Forgejo-canonical + Forgejo->GitHub mirror (coily#113), the GitHub side becomes a read-only mirror. Forgejo accepts unsigned commits (e.g. those generated by the in-pod release workflow), and those unsigned commits then block the mirror push to GitHub.

Concrete blocker: commit 6d7fecab1524a1a723bb5154dd9e3a7d17ed1908 on Forgejo main is unsigned. Local git push origin main to GitHub is rejected:

remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: - Commits must have verified signatures.
remote:   Found 1 violation:
remote:   6d7fecab1524a1a723bb5154dd9e3a7d17ed1908

Fix shape

Loosen or remove the verified-signatures branch rule at https://github.com/coilysiren/coily/rules?ref=refs%2Fheads%2Fmain. Since GitHub is now a read-only mirror of Forgejo, the signing requirement is vestigial - it was protecting a write surface that no longer exists. Forgejo enforces its own write-side discipline.

Two options:

1. Remove the verified-signatures rule entirely. Cleanest, matches the read-only-mirror posture.
2. Add an exemption for the bypass actor of the mirror PAT (the user/bot whose token pushes from Forgejo Actions).

Out of scope

Whether to keep any other GitHub branch protections. Most are vestigial now but a few might still serve as belt-and-suspenders (force-push prevention against a compromised mirror PAT, for example).

Related

• coily#113 (release pipeline to Forgejo Actions)
• Encountered during the 2026-05-26 security-review fix chain.

Note

Kai is working this in a separate session.

**Problem** GitHub branch protection on `coilysiren/coily` `refs/heads/main` requires verified signatures on every commit. With the migration to Forgejo-canonical + Forgejo->GitHub mirror (coily#113), the GitHub side becomes a read-only mirror. Forgejo accepts unsigned commits (e.g. those generated by the in-pod release workflow), and those unsigned commits then block the mirror push to GitHub. Concrete blocker: commit `6d7fecab1524a1a723bb5154dd9e3a7d17ed1908` on Forgejo main is unsigned. Local `git push origin main` to GitHub is rejected: ``` remote: error: GH013: Repository rule violations found for refs/heads/main. remote: - Commits must have verified signatures. remote: Found 1 violation: remote: 6d7fecab1524a1a723bb5154dd9e3a7d17ed1908 ``` **Fix shape** Loosen or remove the verified-signatures branch rule at https://github.com/coilysiren/coily/rules?ref=refs%2Fheads%2Fmain. Since GitHub is now a read-only mirror of Forgejo, the signing requirement is vestigial - it was protecting a write surface that no longer exists. Forgejo enforces its own write-side discipline. Two options: 1. Remove the verified-signatures rule entirely. Cleanest, matches the read-only-mirror posture. 2. Add an exemption for the bypass actor of the mirror PAT (the user/bot whose token pushes from Forgejo Actions). **Out of scope** Whether to keep any other GitHub branch protections. Most are vestigial now but a few might still serve as belt-and-suspenders (force-push prevention against a compromised mirror PAT, for example). **Related** - coily#113 (release pipeline to Forgejo Actions) - Encountered during the 2026-05-26 security-review fix chain. **Note** Kai is working this in a separate session.

coilysiren added the

P1

label 2026-05-31 01:52:38 +00:00

coilysiren added

P2

and removed

P1

labels 2026-05-31 06:59:43 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#114

No description provided.