coily GitHub and Forgejo mirrors have forked divergent feature work on both sides #148

New issue

Closed

opened 2026-05-28 11:04:07 +00:00 by coilysiren · 2 comments

coilysiren commented 2026-05-28 11:04:07 +00:00

Owner

Copy link

Symptom

coily's origin has two push URLs (GitHub + Forgejo mirror), but git push origin main succeeds on GitHub and is rejected (fetch first) on Forgejo. The two remotes have forked, not merely fallen behind.

As of 2026-05-28, fetching both main tips shows divergent history:

• Forgejo-only: dca52c5 chore(formula): bump to v2.46.0 [skip ci], 2822824 fix(forgejo): rename max var to avoid revive redefines-builtin-id, 2865833 feat(forgejo): add fj alias for coily ops forgejo, ebf6574 lockdown: sync to coily v2.45.0 [skip ci], 3a2ca1c chore(formula): bump to v2.45.0 [skip ci], df5a17f feat: add sync-lockdown release job, fix reserved FORGEJO_PAT secret name, 8be1ccd feat(forgejo): read actions task logs over HTTPS, drop SSH, plus a 9b96635 lockdown-sync.
• GitHub-only: f6e9ba5 (this isolation-inversion bump), 1e4faf6 (expose consult surface), 96d828f (a .claude lockdown sync).

So real feature work (fj alias, forgejo actions-log reader, sync-lockdown release job) lives only on Forgejo, while the consult surface + dispatch isolation work lives only on GitHub.

Impact

• closes #N trailers pushed to GitHub never auto-close the matching Forgejo issue (had to close coilysiren/coily#145 manually).
• Dispatch worktrees are cut from the GitHub-tracking local checkout, so dispatched workers build on the GitHub line and silently miss the Forgejo-only feature work (and vice versa).
• Any blunt "force-sync one onto the other" loses one side's commits.

Likely cause

Automated jobs ([skip ci] formula/lockdown syncs) and some feature commits land directly on Forgejo main without replaying to GitHub, while developer/dispatch work lands on GitHub. Neither remote is a strict ancestor of the other anymore.

Ask

Decide the single write source of truth for coily (GitHub vs Forgejo), reconcile the two main histories (merge the divergent commits, or replay one side), and fix the automation so the mirror stops forking. Sibling drift in cli-guard is filed as coilysiren/cli-guard#36. Surfaced while landing coilysiren/coily#145.

## Symptom `coily`'s `origin` has two push URLs (GitHub + Forgejo mirror), but `git push origin main` succeeds on GitHub and is rejected (`fetch first`) on Forgejo. The two remotes have **forked**, not merely fallen behind. As of 2026-05-28, fetching both `main` tips shows divergent history: - Forgejo-only: `dca52c5 chore(formula): bump to v2.46.0 [skip ci]`, `2822824 fix(forgejo): rename max var to avoid revive redefines-builtin-id`, `2865833 feat(forgejo): add fj alias for coily ops forgejo`, `ebf6574 lockdown: sync to coily v2.45.0 [skip ci]`, `3a2ca1c chore(formula): bump to v2.45.0 [skip ci]`, `df5a17f feat: add sync-lockdown release job, fix reserved FORGEJO_PAT secret name`, `8be1ccd feat(forgejo): read actions task logs over HTTPS, drop SSH`, plus a `9b96635` lockdown-sync. - GitHub-only: `f6e9ba5` (this isolation-inversion bump), `1e4faf6` (expose consult surface), `96d828f` (a .claude lockdown sync). So real feature work (fj alias, forgejo actions-log reader, sync-lockdown release job) lives only on Forgejo, while the consult surface + dispatch isolation work lives only on GitHub. ## Impact - `closes #N` trailers pushed to GitHub never auto-close the matching Forgejo issue (had to close coilysiren/coily#145 manually). - Dispatch worktrees are cut from the GitHub-tracking local checkout, so dispatched workers build on the GitHub line and silently miss the Forgejo-only feature work (and vice versa). - Any blunt "force-sync one onto the other" loses one side's commits. ## Likely cause Automated jobs (`[skip ci]` formula/lockdown syncs) and some feature commits land directly on Forgejo `main` without replaying to GitHub, while developer/dispatch work lands on GitHub. Neither remote is a strict ancestor of the other anymore. ## Ask Decide the single write source of truth for `coily` (GitHub vs Forgejo), reconcile the two `main` histories (merge the divergent commits, or replay one side), and fix the automation so the mirror stops forking. Sibling drift in cli-guard is filed as coilysiren/cli-guard#36. Surfaced while landing coilysiren/coily#145.

coilysiren referenced this issue from a commit 2026-05-28 11:10:44 +00:00

Merge Forgejo main into GitHub main: reconcile forked mirrors (#148)

coilysiren commented 2026-05-28 11:11:32 +00:00

Author

Owner

Copy link

History reconciled (merge 9ee11f8)

Merged the two forked main tips with a merge commit whose parents are the GitHub tip (f6e9ba5) and the Forgejo tip (dca52c5). Because each tip is an ancestor of the merge, pushing it fast-forwarded both remotes - no commits lost, no force-push.

Both remotes now point at 9ee11f8 (verified via git ls-remote on each). Both feature lines are reachable from HEAD:

• Forgejo-only work preserved: fj alias, forgejo actions-log reader over HTTPS, sync-lockdown release job, formula v2.45/2.46 bumps, lockdown syncs.
• GitHub-only work preserved: consult surface, dispatch isolation inversion (#145).

The file sets were disjoint except .claude/settings.json. That is a generated lockdown artifact, so I resolved it by keeping the stricter render (the larger fine-grained deny list + vault Read allows). The only delta vs the Forgejo render was Forgejo's Bash(mcporter:*) allow entry, which is dropped - losing an allow fails safe (mcporter will prompt), never fail-open. I did not regenerate settings.json from the merged binary: that would rewrite the lockdown permission posture, which is out of scope here and a separate lockdown-sync concern.

Merged tree verified green: tidy, build, test, vet, lint all pass (Forgejo's ops_forgejo* code builds fine against the GitHub-side cli-guard bump).

Still open: the automation that lets the mirrors fork

This merge unifies history once, but it does not stop the recurrence. The root cause stands: automated jobs ([skip ci] formula/lockdown syncs) and some feature commits land directly on one remote without replaying to the other, so the next such commit re-forks main. Keeping this issue open, narrowed to that fix:

• Pick one write source of truth for coily (GitHub vs Forgejo) and make the other a strict read-only mirror, or
• Wire the automated jobs / release workflow to push to both remotes (the same way a manual git push origin main does, via the two origin push URLs), or run a scheduled mirror-sync.

Two follow-on details worth a look while fixing the automation:

1. The committed .claude/settings.json render drifts from what the current merged binary produces (coarser Bash(git:*) vs per-subcommand denies, etc.). That is the recurring "sync committed .claude lockdown files to coily vX render" chore, orthogonal to the mirror fork but visible here.
2. Sibling drift in cli-guard is filed as coilysiren/cli-guard#36 and has the same automation root cause.

## History reconciled (merge `9ee11f8`) Merged the two forked `main` tips with a merge commit whose parents are the GitHub tip (`f6e9ba5`) and the Forgejo tip (`dca52c5`). Because each tip is an ancestor of the merge, pushing it **fast-forwarded both remotes** - no commits lost, no force-push. Both remotes now point at `9ee11f8` (verified via `git ls-remote` on each). Both feature lines are reachable from `HEAD`: - Forgejo-only work preserved: `fj` alias, forgejo actions-log reader over HTTPS, sync-lockdown release job, formula v2.45/2.46 bumps, lockdown syncs. - GitHub-only work preserved: consult surface, dispatch isolation inversion (#145). The file sets were disjoint except `.claude/settings.json`. That is a generated lockdown artifact, so I resolved it by keeping the stricter render (the larger fine-grained deny list + vault Read allows). The only delta vs the Forgejo render was Forgejo's `Bash(mcporter:*)` *allow* entry, which is dropped - losing an allow fails safe (mcporter will prompt), never fail-open. I did **not** regenerate `settings.json` from the merged binary: that would rewrite the lockdown permission posture, which is out of scope here and a separate lockdown-sync concern. Merged tree verified green: `tidy`, `build`, `test`, `vet`, `lint` all pass (Forgejo's `ops_forgejo*` code builds fine against the GitHub-side cli-guard bump). ## Still open: the automation that lets the mirrors fork This merge unifies history once, but it does **not** stop the recurrence. The root cause stands: automated jobs (`[skip ci]` formula/lockdown syncs) and some feature commits land directly on **one** remote without replaying to the other, so the next such commit re-forks `main`. Keeping this issue open, narrowed to that fix: - Pick one write source of truth for `coily` (GitHub vs Forgejo) and make the other a strict read-only mirror, or - Wire the automated jobs / release workflow to push to **both** remotes (the same way a manual `git push origin main` does, via the two `origin` push URLs), or run a scheduled mirror-sync. Two follow-on details worth a look while fixing the automation: 1. The committed `.claude/settings.json` render drifts from what the current merged binary produces (coarser `Bash(git:*)` vs per-subcommand denies, etc.). That is the recurring "sync committed .claude lockdown files to coily vX render" chore, orthogonal to the mirror fork but visible here. 2. Sibling drift in cli-guard is filed as coilysiren/cli-guard#36 and has the same automation root cause.

coilysiren commented 2026-05-30 05:43:13 +00:00

Author

Owner

Copy link

Merged into #5 in the 2026-05-29 backlog burn-down. Same multi-URL origin push divergence (GitHub vs Forgejo) Reopen if it should stand alone.

Merged into #5 in the 2026-05-29 backlog burn-down. Same multi-URL origin push divergence (GitHub vs Forgejo) Reopen if it should stand alone.

coilysiren closed this issue 2026-05-30 05:43:13 +00:00

coilysiren added the

P4

label 2026-05-31 01:52:36 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#148

No description provided.