Port caddy-shortcuts daily cron from GHA to Forgejo Actions #118

New issue

Closed

opened 2026-05-25 05:15:45 +00:00 by coilysiren · 1 comment

coilysiren commented 2026-05-25 05:15:45 +00:00

Owner

Copy link

Final workflow in the GHA→Forgejo migration push following #115.

The GHA version used GH GraphQL createCommitOnBranch so commits would be auto-signed by GitHub's web-flow key (required by the GH repo ruleset for signed commits). Forgejo has no equivalent path. We trade the signature badge for not coupling to GitHub's API.

New workflow uses the auto-injected Forgejo secrets.GITHUB_TOKEN for the git push back to the Forgejo repo, and a separately-configured Forgejo Actions secret GH_PAT (synced from SSM /github/pat) for the script's reads against sibling GH repos.

Known trade-off: runner-side commits land on Forgejo only. GH catches up on Kai's next manual push via the local fan-out remote. If this proves annoying, switch on a server-side Forgejo→GH push-mirror later.

Final workflow in the GHA→Forgejo migration push following #115. The GHA version used GH GraphQL `createCommitOnBranch` so commits would be auto-signed by GitHub's web-flow key (required by the GH repo ruleset for signed commits). Forgejo has no equivalent path. We trade the signature badge for not coupling to GitHub's API. New workflow uses the auto-injected Forgejo `secrets.GITHUB_TOKEN` for the `git push` back to the Forgejo repo, and a separately-configured Forgejo Actions secret `GH_PAT` (synced from SSM `/github/pat`) for the script's reads against sibling GH repos. Known trade-off: runner-side commits land on Forgejo only. GH catches up on Kai's next manual push via the local fan-out remote. If this proves annoying, switch on a server-side Forgejo→GH push-mirror later.

coilysiren commented 2026-05-25 05:19:03 +00:00

Author

Owner

Copy link

Revised: zero GitHub coupling. The script now reads sibling coily.yaml from forgejo.coilysiren.me via the Forgejo API. The auto-injected GITHUB_TOKEN is a Forgejo-issued token in this context (runs-on: docker on the in-cluster runners), used for both the sibling reads and the commit-back push. No GH PAT involved. The GH_PAT Forgejo Actions secret created earlier has been deleted.

Revised: zero GitHub coupling. The script now reads sibling coily.yaml from `forgejo.coilysiren.me` via the Forgejo API. The auto-injected `GITHUB_TOKEN` is a Forgejo-issued token in this context (`runs-on: docker` on the in-cluster runners), used for both the sibling reads and the commit-back push. No GH PAT involved. The `GH_PAT` Forgejo Actions secret created earlier has been deleted.

coilysiren referenced this issue from a commit 2026-05-25 05:19:17 +00:00

feat(ci): port caddy-shortcuts to Forgejo Actions, drop GitHub coupling (closes https://forgejo.coilysiren.me/coilysiren/infrastructure/issues/118)

coilysiren closed this issue 2026-05-25 05:19:17 +00:00

coilysiren referenced this issue 2026-05-25 05:26:41 +00:00

caddy-shortcuts: regression after Forgejo port nuked 4 sites #120

coilysiren referenced this issue 2026-05-25 05:30:21 +00:00

caddy-shortcuts: render shortcuts from private Forgejo sibling repos #121

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-294

tangled-knot

dispatch/issue-216

No results found.

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/infrastructure#118

No description provided.