sync-lockdown: skip ci suppresses mirror-to-github, GitHub lockdown files lag #142

New issue

Open

opened 2026-05-28 08:44:23 +00:00 by coilysiren · 0 comments

coilysiren commented

2026-05-28 08:44:23 +00:00

Owner

Context

The sync-lockdown job in .forgejo/workflows/release.yml fans the canonical .claude lockdown files out to catalog repos via the Forgejo Contents API, committing with [skip ci] (matching bump-formula).

Problem

[skip ci] keeps the bot commits from re-triggering downstream pipelines, which is what we want for release-loop safety. But it also suppresses each target repo's mirror-to-github workflow. So a lockdown bump lands on Forgejo immediately and on GitHub only at that repo's next non-[skip ci] push. GitHub lockdown files lag, sometimes indefinitely for low-traffic repos.

This is the same eventual-consistency the Formula bump already has, so it may be acceptable. Filing to make the tradeoff explicit and decide.

Options

Accept the lag. GitHub is a read-only mirror; the fail-closed boundary that matters is on Forgejo (canonical) and on local clones, both of which get the bump immediately. Document and move on.
Drop [skip ci] for lockdown commits and accept that each target repo's release/tag-bump pipeline fires on a lockdown-only commit (version churn across ~26 repos per coily release).
Keep [skip ci] but have sync-lockdown also trigger the mirror explicitly, e.g. a follow-up Forgejo API call per repo or a dedicated mirror nudge, so GitHub stays current without re-running release pipelines.

Relates to agentic-os-kai#457 (the canonical-bump design).

**Context** The `sync-lockdown` job in `.forgejo/workflows/release.yml` fans the canonical `.claude` lockdown files out to catalog repos via the Forgejo Contents API, committing with `[skip ci]` (matching `bump-formula`). **Problem** `[skip ci]` keeps the bot commits from re-triggering downstream pipelines, which is what we want for release-loop safety. But it also suppresses each target repo's `mirror-to-github` workflow. So a lockdown bump lands on Forgejo immediately and on GitHub only at that repo's next non-`[skip ci]` push. GitHub lockdown files lag, sometimes indefinitely for low-traffic repos. This is the same eventual-consistency the Formula bump already has, so it may be acceptable. Filing to make the tradeoff explicit and decide. **Options** - Accept the lag. GitHub is a read-only mirror; the fail-closed boundary that matters is on Forgejo (canonical) and on local clones, both of which get the bump immediately. Document and move on. - Drop `[skip ci]` for lockdown commits and accept that each target repo's release/tag-bump pipeline fires on a lockdown-only commit (version churn across ~26 repos per coily release). - Keep `[skip ci]` but have `sync-lockdown` also trigger the mirror explicitly, e.g. a follow-up Forgejo API call per repo or a dedicated mirror nudge, so GitHub stays current without re-running release pipelines. Relates to agentic-os-kai#457 (the canonical-bump design).

coilysiren referenced this issue

2026-05-28 09:04:57 +00:00

Add sync-lockdown release job and fix reserved FORGEJO_PAT secret name #143

coilysiren added the

label

2026-05-31 01:52:36 +00:00

coilysiren added

and removed

labels

2026-05-31 06:59:40 +00:00