From 1033d30ad967cb932f48881e6bc387270edfd3e6 Mon Sep 17 00:00:00 2001
From: ZDDC <caseywitt@proton.me>
Date: Sun, 3 May 2026 19:39:48 -0500
Subject: [PATCH] fix(ci): notify-chart workflows push to Forgejo, not GitHub
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The chart repo (BMCD/tnd-zddc-chart) is mirrored Forgejo→GitHub
one-way (we set this up so the chart matches the same canonical-
on-Forgejo pattern as the public repos). When notify-chart-prod
and notify-chart-dev pushed directly to GitHub, the bump landed
on GitHub but Forgejo never got it — and the next time Forgejo's
push-mirror ran, it force-overwrote GitHub's bump with Forgejo's
older state. Symptom: prod stuck at v0.0.9 even after auto-bump
appeared to succeed; manual investigation showed Chart.yaml
appVersion was actually still 0.0.10 (the previous manual bump
that DID land on Forgejo).

Fix: clone+push to Forgejo (git.varasys.io/BMCD/tnd-zddc-chart)
instead of GitHub. Forgejo's mirror replicates to GitHub on the
next sync — going through the canonical-Forgejo path keeps both
sides in sync. Uses a new CHART_FORGEJO_TOKEN secret (separate
from CHART_GITHUB_TOKEN, which is no longer needed for these
workflows but kept for any future direct-GitHub use case).
---
 .forgejo/workflows/deploy-release.yml   | 21 +++++++++++++++------
 .forgejo/workflows/notify-chart-dev.yml | 15 ++++++++++-----
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/.forgejo/workflows/deploy-release.yml b/.forgejo/workflows/deploy-release.yml
index 9616c4c..cad9721 100644
--- a/.forgejo/workflows/deploy-release.yml
+++ b/.forgejo/workflows/deploy-release.yml
@@ -109,9 +109,15 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v')
     runs-on: host
     env:
-      CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
+      # Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
+      # directly to GitHub. The chart repo is mirrored Forgejo→GitHub
+      # one-way; pushing directly to GitHub would be silently overwritten
+      # the next time Forgejo's mirror syncs (force-push semantics).
+      # The runner reaches git.varasys.io via the caddy-net network it
+      # joined when the runner container was provisioned.
+      CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
     steps:
-      - name: Auto-bump tnd-zddc-chart appVersion on main + develop
+      - name: Auto-bump tnd-zddc-chart appVersion on main + develop (via Forgejo)
         run: |
           set -eu
           VERSION="${GITHUB_REF#refs/tags/zddc-server-v}"
@@ -119,8 +125,8 @@ jobs:
 
           # Sanity: make sure the secret was injected. If not, fail loud
           # (rather than silently failing on the git push later).
-          if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
-              echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
+          if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
+              echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
               exit 1
           fi
 
@@ -131,6 +137,9 @@ jobs:
           # dev images both rebuild against the new ZDDC stable. Loop
           # is idempotent per-branch — if a branch's appVersion already
           # matches the new version, it's a no-op for that branch.
+          # The push goes to Forgejo (BMCD/tnd-zddc-chart on
+          # git.varasys.io); Forgejo's push-mirror replicates the bump
+          # to GitHub on the next sync (which is sync_on_commit: true).
           TMP=$(mktemp -d)
           cd "$TMP"
           for BRANCH in main develop; do
@@ -138,7 +147,7 @@ jobs:
               echo "=== bumping $BRANCH ==="
               rm -rf tnd-zddc-chart
               git clone --depth=20 --branch="$BRANCH" \
-                  "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
+                  "https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
               cd tnd-zddc-chart
 
               CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/')
@@ -166,6 +175,6 @@ jobs:
                   -m "Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. Bumps appVersion so the $BRANCH-branch image is tagged zddc:$VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade. Chart version bumped to $NEW_CHART_VER (patch) so JFrog has a clean chart history per deploy." \
                   -m "Auto-generated by .forgejo/workflows/deploy-release.yml's notify-chart-prod job. Do not edit manually — the next ZDDC stable cut will overwrite this commit's changes."
               git push origin "$BRANCH"
-              echo "  pushed $BRANCH bump - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire"
+              echo "  pushed $BRANCH bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire"
               cd ..
           done
diff --git a/.forgejo/workflows/notify-chart-dev.yml b/.forgejo/workflows/notify-chart-dev.yml
index 6748c6c..23f7409 100644
--- a/.forgejo/workflows/notify-chart-dev.yml
+++ b/.forgejo/workflows/notify-chart-dev.yml
@@ -23,7 +23,12 @@ jobs:
   notify-chart-dev:
     runs-on: host
     env:
-      CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
+      # Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
+      # directly to GitHub. See notify-chart-prod's comment in
+      # deploy-release.yml for the full rationale (mirror is one-way
+      # Forgejo→GitHub; direct GitHub pushes get silently overwritten
+      # on the next mirror sync).
+      CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
     steps:
       - name: Checkout (need tags to detect stable cut)
         uses: actions/checkout@v4
@@ -47,8 +52,8 @@ jobs:
         run: |
           set -eu
 
-          if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
-              echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
+          if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
+              echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
               exit 1
           fi
 
@@ -68,7 +73,7 @@ jobs:
           TMP=$(mktemp -d)
           cd "$TMP"
           git clone --depth=20 --branch=develop \
-              "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
+              "https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
           cd tnd-zddc-chart
 
           # Idempotent: same SHA ⇒ same version ⇒ no-op.
@@ -97,4 +102,4 @@ jobs:
               -m "Triggered by push to git.varasys.io/VARASYS/ZDDC main with embedded/* changes (a ./build beta cut). Bumps appVersion so the dev Docker image is tagged zddc:$BETA_VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade." \
               -m "Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The next ZDDC beta or stable cut will overwrite this."
           git push origin develop
-          echo "pushed chart develop bump - BMCD pipeline-dev will fire"
+          echo "pushed chart develop bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-dev will fire"