agentic-os release bump-pin blocked: CI_RELEASE_TOKEN must be a real-user PAT, not forgejo-actions #343

Closed
opened 2026-06-15 17:32:15 +00:00 by coilysiren · 0 comments
Owner

Problem

agentic-os release CI fails on the bump-pin job (HTTP 500 on the Forgejo Contents API PUT). Root cause from the Forgejo pod logs:

POST /api/internal/hook/pre-receive/.../agentic-os  ->  403 Forbidden
remote: Forgejo: User 'forgejo-actions' is not allowed to push to branch 'main'
 ! [remote rejected] ... -> main (pre-receive hook declined)

bump-pin rewrites DEFAULT_REV and commits it to main via the Contents API. The push lands as the built-in forgejo-actions Actions user, which Forgejo 15.x bars from pushing branch refs. There is no instance setting to lift this (it is the Forgejo 16 workflow-permissions: feature, per forgejo#3571). The only fix is a real-user write:repository PAT in CI_RELEASE_TOKEN. main is unprotected, so any write user suffices.

Commit b3213f7 wired bump-pin to CI_RELEASE_TOKEN, but the org Actions secret currently resolves to forgejo-actions, not a real PAT - so the push is still rejected.

Fix

scripts/provision-ci-release-token.sh mints a fresh write:repository PAT (e.g. coilysiren), restashes SSM /forgejo/ci-release-token, sets the coilyco-flight-deck org Actions secret CI_RELEASE_TOKEN, and verifies by bumping DEFAULT_REV to the latest tag. SSM.md updated in agentic-os-kai.

## Problem agentic-os `release` CI fails on the `bump-pin` job (HTTP 500 on the Forgejo Contents API PUT). Root cause from the Forgejo pod logs: ``` POST /api/internal/hook/pre-receive/.../agentic-os -> 403 Forbidden remote: Forgejo: User 'forgejo-actions' is not allowed to push to branch 'main' ! [remote rejected] ... -> main (pre-receive hook declined) ``` `bump-pin` rewrites `DEFAULT_REV` and commits it to `main` via the Contents API. The push lands as the built-in `forgejo-actions` Actions user, which Forgejo 15.x bars from pushing branch refs. There is **no instance setting** to lift this (it is the Forgejo 16 workflow-`permissions:` feature, per [forgejo#3571](https://codeberg.org/forgejo/forgejo/issues/3571)). The only fix is a real-user `write:repository` PAT in `CI_RELEASE_TOKEN`. `main` is unprotected, so any write user suffices. Commit `b3213f7` wired `bump-pin` to `CI_RELEASE_TOKEN`, but the org Actions secret currently resolves to `forgejo-actions`, not a real PAT - so the push is still rejected. ## Fix `scripts/provision-ci-release-token.sh` mints a fresh `write:repository` PAT (e.g. coilysiren), restashes SSM `/forgejo/ci-release-token`, sets the `coilyco-flight-deck` org Actions secret `CI_RELEASE_TOKEN`, and verifies by bumping `DEFAULT_REV` to the latest tag. SSM.md updated in agentic-os-kai.
Sign in to join this conversation.
No description provided.