caddy-shortcuts regenerate job fails on every daily run since 2026-05-25 #380
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#380
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Symptom
The
regeneratejob in.forgejo/workflows/caddy-shortcuts.yml(daily cron17 6 * * *) has failed on every scheduled run since 2026-05-25. The only success on record is the very first run (task id 7, 2026-05-25 05:19Z). 12+ consecutive daily failures since.Recent failing runs: 1265 (
eb6e5de), 1080 (b390eb0), 581, 487, 382, 352, 332, 256, 230, 207, 138, 28, 10.Impact
Tailnet shortcut snippets under
caddy/sites/never regenerate. There are real pending changes stuck behind this: a local dry-run shows two stale snippets that should be deleted but never land:Diagnosis so far
scripts/generate-caddy-shortcuts.pyruns clean locally (exit 0) both with and withoutFORGEJO_TOKEN, so the failure is in the CI environment / workflow, not the generator. Forgejo's task-log API returned 404 for the api-token, so step-level logs were not pulled programmatically.Likely suspects (in order)
git push origin HEAD:mainstep. Checkout authenticates withsecrets.GITHUB_TOKEN; pushing back tomainis likely denied. Because changes are always pending (see above), thecommit if changedstep always reaches the push. This is exactly the commit-pushback fragility explored in #129.yqinstall.curl -sSfL ... -o /usr/local/bin/yqmay hit permission-denied if the runner container is non-root.FORGEJO_TOKENenv on the regenerate step. The step never receives the token, so the script scans unauthenticated (15 repos vs 25 with a token). Degraded visibility, not fatal on its own, but worth fixing alongside.Next steps
GITHUB_TOKEN.Filed from a session that was enabling Forgejo push-to-create; the failure surfaced incidentally while verifying CI on commit
ce36173.Triage:
P2/headless- caddy-shortcuts regenerate job failing every daily run since 2026-05-25; self-contained bug to fix.(goose-style pass; claude as the judgment engine, applied 2026-06-23)
🔒 Reserved by
ward agent claude— containerward-infrastructure-issue-380-claude-45628d06on hostkais-macbook-pro-2.localis carrying this issue (reserved 2026-06-24T05:39:42Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (2h0m0s TTL);--forceoverrides.— Claude (she/her), via
ward agentFixed and verified green (workflow_dispatch run #542). The actual cause was not the push (suspect #1) but the
regeneratestep exiting non-zero, masked by the runner having no API log endpoint.Root causes (confirmed from runner logs):
ownerfilter wants a uid, so it's ignored) but read each at the hardcodedcoilysiren/<name>, which only 301-redirects tocoilyco-*. The runner doesn't follow that redirect, so every config read missed. Fixed:list_reposnow returns(owner, name)and reads each repo at its real owner./repos/search(200) but 404s anonymous/contents/.... The repo-scoped autoGITHUB_TOKENcan't read siblings either, and the orgCI_RELEASE_TOKENsecret is currently rejected (HTTP 401) — its value is invalid/expired. So the runner cannot enumerate sibling shortcuts today.desired=0and only 2 snippets, the mass-delete guard (len(to_delete) > max(2, len//2)) didn't fire (2 > 2 is false), so it deleted both and was only saved by thepre-receivehook rejecting the push tomain.What landed (
main, commits99e0f44→6fa3946):coilysiren/301 dependency.reconcileso writes always apply and a suspicious/empty-desireddelete is a non-destructive no-op (exit 0) instead ofsys.exit(2)— the job stays green and never wipes valid snippets on a failed/unauthenticated scan.FORGEJO_URL; checkout stays on the autoGITHUB_TOKEN(the only token the in-cluster runner authenticates for git — a custom PAT fails checkout withcould not read Username).eco-jobs-tracker,eco-mcp) and correct the remaining headers to their real owner.Run #542 is green: scans, refuses to wipe,
0 changes, succeeds.Residual (needs operator action): the job is currently a safe no-op — it can't actually regenerate until a valid read-capable scan token is wired in as
FORGEJO_TOKEN(the existingCI_RELEASE_TOKEN401s and needs re-provisioning viascripts/provision-ci-release-token.sh). The snippets are correct and preserved in the meantime. Pushing regenerated changes tomainfrom CI also still hits thepre-receivewall (the #129 fragility). Filed/decided separately.