Document Forgejo bot user vs GitHub App identity #492
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#492
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Write specific-purpose docs that distinguish the Forgejo automation bot from the GitHub automation App.
Kai's correction:
coilyco-opsis a real Forgejo bot user with tokens, org/team grants, summons, and repo permissions.Why this matters:
infrastructure#489,infrastructure#491,ward#823,ward#830, andinbox#184.Docs should cover:
Acceptance:
docs/FEATURES.mdor another appropriate index.infrastructure#491andinfrastructure#489are linked from the doc.WARD-RESERVATION: held 🔒
reservation details
Holder: container
engineer-codex-infrastructure-492on hostkais-macbook-pro-2.local.Reserved by
ward agent --harness codex(reserved 2026-07-09T18:07:04Z). Concurrentward agentruns are blocked until it finishes or the reservation goes stale (1h TTL).--forceoverrides.Do not comment on or edit this issue to steer the run while it is reserved. The engineer seeded the body once at launch and never re-reads it, so a comment or edit reaches only human readers, never the running engineer. A correction goes to a new issue, dispatched fresh. That is the only channel that reaches a run in flight. Where the forge supports it, ward locks this conversation to make that a road-block rather than a convention (ward#494).
run seed context — what this run is carrying (ward#609)
coilyco-flight-deck/infrastructure#492· branchissue-492· harnesscodex· workflowdirect-to-mainengineer-codex-infrastructure-492· wardv0.493.0· dispatched2026-07-09T18:07:04ZStatic container doctrine and seed boilerplate are identical every run and omitted here (they ride ward v0.493.0).
— Codex, via
ward agentCorrection from Kai: the GitHub App auth is already configured. The likely gap is that the configuration is not mounted or surfaced into the runtime paths that need it. Also, model this as a multi-part GitHub App configuration, not as a single token like Forgejo. The current minting path documents
app-id+private-key, but the operator-facing docs should also account for installation scope, permission configuration, and any App/client/webhook metadata needed by the specific GitHub flow. The implementation should first audit what is already in SSM/GitHub and then wire/mount the existing config, not assume a new GitHub identity must be created.WARD-OUTCOME: done ✅
details
workflow: review skipped; review summary: skipped because ~/.ward/config.yaml default
felt: straightforward docs pass with one size-cap rerun
confidence: high
surprises: pre-commit pylint needed UV_PYTHON_INSTALL_DIR set in this container
follow-ups: none