coily ops forgejo: use HTTPS for all verbs, drop SSH #139

New issue

Open

opened 2026-05-28 07:58:33 +00:00 by coilysiren · 1 comment

coilysiren commented 2026-05-28 07:58:33 +00:00

Owner

Copy link

Problem

Some coily ops forgejo verbs reach the Forgejo instance over SSH (in-pod
kubectl exec / SSH to kai-server) rather than the HTTP API. None of them should.
Every forgejo verb should use HTTPS against the Forgejo API.

Why

SSH-backed verbs fail in any session without an SSH key loaded into the agent.
Hit today: coily ops forgejo actions task logs returns

ssh: no authentication method available (ssh-agent unreachable and no key path)

because it does an in-pod log read over SSH to kai-server. This made CI logs
unreadable from a Claude session and blocked root-causing a release failure.
By contrast, issue create, release create/list, and actions task list
already work over HTTP from the same session - proving the HTTPS path is viable.

Scope

• Audit every coily ops forgejo verb for SSH / kubectl exec dependence.
• Convert each to the Forgejo HTTP API (token from SSM /forgejo/api-token,
  same auth pattern the working HTTP verbs already use).
• Known offender: actions task logs (in-pod decoded-log read). The Forgejo
  Actions API exposes task logs over HTTP - use that instead of SSH.

Acceptance

• No coily ops forgejo verb requires SSH or an in-pod exec.
• actions task logs works from a session with no SSH key loaded.
• Each converted verb authenticates via the SSM-stored API token over HTTPS.

## Problem Some `coily ops forgejo` verbs reach the Forgejo instance over SSH (in-pod `kubectl exec` / SSH to kai-server) rather than the HTTP API. None of them should. Every forgejo verb should use HTTPS against the Forgejo API. ## Why SSH-backed verbs fail in any session without an SSH key loaded into the agent. Hit today: `coily ops forgejo actions task logs` returns ``` ssh: no authentication method available (ssh-agent unreachable and no key path) ``` because it does an in-pod log read over SSH to kai-server. This made CI logs unreadable from a Claude session and blocked root-causing a release failure. By contrast, `issue create`, `release create/list`, and `actions task list` already work over HTTP from the same session - proving the HTTPS path is viable. ## Scope * Audit every `coily ops forgejo` verb for SSH / `kubectl exec` dependence. * Convert each to the Forgejo HTTP API (token from SSM `/forgejo/api-token`, same auth pattern the working HTTP verbs already use). * Known offender: `actions task logs` (in-pod decoded-log read). The Forgejo Actions API exposes task logs over HTTP - use that instead of SSH. ## Acceptance * No `coily ops forgejo` verb requires SSH or an in-pod exec. * `actions task logs` works from a session with no SSH key loaded. * Each converted verb authenticates via the SSM-stored API token over HTTPS.

coilysiren referenced this issue 2026-05-28 08:08:03 +00:00

release automation: bump-formula fails every run and push did not trigger a new run #137

coilysiren referenced this issue 2026-05-28 08:22:45 +00:00

release automation: bump-formula fails every run and push did not trigger a new run #137

coilysiren commented 2026-05-28 08:25:01 +00:00

Author

Owner

Copy link

Scope: actions task logs converted; admin/doctor verbs deferred

Audited every coily ops forgejo verb against the live Forgejo 15.0.2 API.

Converted to HTTPS (this change)

• actions task logs - was the motivating offender (in-pod cat | zstd -d
  over SSH). Forgejo's API v1 has no log endpoint, so it now drives the
  same web route the Actions UI uses:
  POST /{owner}/{repo}/actions/runs/{run}/jobs/{job}/attempt/{n} with a
  logCursors body, resolving the task id to its run+job by name and
  reassembling the per-step log lines. Works from a session with no SSH key.

Cannot convert - no HTTP API exists

• doctor check - forgejo doctor is a CLI-only maintenance command. No API.
• admin auth list - no auth-sources listing endpoint in the API.

These two have to stay on the in-pod forgejo CLI path (SSH / kubectl exec)
unless we drop the verbs entirely.

Convertible later (deferred)

• admin user list - GET /admin/users exists; clean conversion, just not
  in scope for this pass.
• admin user create - POST /admin/users exists but takes a password in the
  body. Today the verb uses in-pod --random-password so the secret never
  reaches coily's argv/audit log; converting changes that credential model and
  deserves its own discussion.

Proposal

Close this issue once actions task logs lands. Track admin user list
conversion as a small follow-up, and treat doctor check / admin auth list
as accepted SSH carve-outs (no API to convert to).

## Scope: `actions task logs` converted; admin/doctor verbs deferred Audited every `coily ops forgejo` verb against the live Forgejo 15.0.2 API. ### Converted to HTTPS (this change) * `actions task logs` - was the motivating offender (in-pod `cat | zstd -d` over SSH). Forgejo's API v1 has **no** log endpoint, so it now drives the same web route the Actions UI uses: `POST /{owner}/{repo}/actions/runs/{run}/jobs/{job}/attempt/{n}` with a `logCursors` body, resolving the task id to its run+job by name and reassembling the per-step log lines. Works from a session with no SSH key. ### Cannot convert - no HTTP API exists * `doctor check` - `forgejo doctor` is a CLI-only maintenance command. No API. * `admin auth list` - no auth-sources listing endpoint in the API. These two have to stay on the in-pod `forgejo` CLI path (SSH / kubectl exec) unless we drop the verbs entirely. ### Convertible later (deferred) * `admin user list` - `GET /admin/users` exists; clean conversion, just not in scope for this pass. * `admin user create` - `POST /admin/users` exists but takes a password in the body. Today the verb uses in-pod `--random-password` so the secret never reaches coily's argv/audit log; converting changes that credential model and deserves its own discussion. ### Proposal Close this issue once `actions task logs` lands. Track `admin user list` conversion as a small follow-up, and treat `doctor check` / `admin auth list` as accepted SSH carve-outs (no API to convert to).

coilysiren referenced this issue from a commit 2026-05-28 08:32:41 +00:00

feat(forgejo): read actions task logs over HTTPS, drop SSH

coilysiren added the

P1

label 2026-05-31 01:52:36 +00:00

coilysiren added

P2

and removed

P1

labels 2026-05-31 06:59:41 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#139

No description provided.