VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): notify-chart workflows push to Forgejo, not GitHub

Browse source 
The chart repo (BMCD/tnd-zddc-chart) is mirrored Forgejo→GitHub
one-way (we set this up so the chart matches the same canonical-
on-Forgejo pattern as the public repos). When notify-chart-prod
and notify-chart-dev pushed directly to GitHub, the bump landed
on GitHub but Forgejo never got it — and the next time Forgejo's
push-mirror ran, it force-overwrote GitHub's bump with Forgejo's
older state. Symptom: prod stuck at v0.0.9 even after auto-bump
appeared to succeed; manual investigation showed Chart.yaml
appVersion was actually still 0.0.10 (the previous manual bump
that DID land on Forgejo).

Fix: clone+push to Forgejo (git.varasys.io/BMCD/tnd-zddc-chart)
instead of GitHub. Forgejo's mirror replicates to GitHub on the
next sync — going through the canonical-Forgejo path keeps both
sides in sync. Uses a new CHART_FORGEJO_TOKEN secret (separate
from CHART_GITHUB_TOKEN, which is no longer needed for these
workflows but kept for any future direct-GitHub use case).
This commit is contained in:
ZDDC 2026-05-03 19:39:48 -05:00
parent bf54651fb0
commit 1033d30ad9
2 changed files with 25 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.forgejo/workflows/deploy-release.yml
View file

@ -109,9 +109,15 @@ jobs:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v')
runs-on: host
env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
# Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
# directly to GitHub. The chart repo is mirrored Forgejo→GitHub
# one-way; pushing directly to GitHub would be silently overwritten
# the next time Forgejo's mirror syncs (force-push semantics).
# The runner reaches git.varasys.io via the caddy-net network it
# joined when the runner container was provisioned.
CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
steps:
- name: Auto-bump tnd-zddc-chart appVersion on main + develop
- name: Auto-bump tnd-zddc-chart appVersion on main + develop (via Forgejo)
run: |
set -eu
VERSION="${GITHUB_REF#refs/tags/zddc-server-v}"
@ -119,8 +125,8 @@ jobs:
# Sanity: make sure the secret was injected. If not, fail loud
# (rather than silently failing on the git push later).
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
exit 1
fi
@ -131,6 +137,9 @@ jobs:
# dev images both rebuild against the new ZDDC stable. Loop
# is idempotent per-branch — if a branch's appVersion already
# matches the new version, it's a no-op for that branch.
# The push goes to Forgejo (BMCD/tnd-zddc-chart on
# git.varasys.io); Forgejo's push-mirror replicates the bump
# to GitHub on the next sync (which is sync_on_commit: true).
TMP=$(mktemp -d)
cd "$TMP"
for BRANCH in main develop; do
@ -138,7 +147,7 @@ jobs:
echo "=== bumping $BRANCH ==="
rm -rf tnd-zddc-chart
git clone --depth=20 --branch="$BRANCH" \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
"https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
cd tnd-zddc-chart
CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/')
@ -166,6 +175,6 @@ jobs:
-m "Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. Bumps appVersion so the $BRANCH-branch image is tagged zddc:$VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade. Chart version bumped to $NEW_CHART_VER (patch) so JFrog has a clean chart history per deploy." \
-m "Auto-generated by .forgejo/workflows/deploy-release.yml's notify-chart-prod job. Do not edit manually — the next ZDDC stable cut will overwrite this commit's changes."
git push origin "$BRANCH"
echo " pushed $BRANCH bump - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire"
echo " pushed $BRANCH bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire"
cd ..
done

15
.forgejo/workflows/notify-chart-dev.yml
View file

@ -23,7 +23,12 @@ jobs:
notify-chart-dev:
runs-on: host
env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
# Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
# directly to GitHub. See notify-chart-prod's comment in
# deploy-release.yml for the full rationale (mirror is one-way
# Forgejo→GitHub; direct GitHub pushes get silently overwritten
# on the next mirror sync).
CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
steps:
- name: Checkout (need tags to detect stable cut)
uses: actions/checkout@v4
@ -47,8 +52,8 @@ jobs:
run: |
set -eu
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
exit 1
fi
@ -68,7 +73,7 @@ jobs:
TMP=$(mktemp -d)
cd "$TMP"
git clone --depth=20 --branch=develop \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
"https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
cd tnd-zddc-chart
# Idempotent: same SHA ⇒ same version ⇒ no-op.
@ -97,4 +102,4 @@ jobs:
-m "Triggered by push to git.varasys.io/VARASYS/ZDDC main with embedded/* changes (a ./build beta cut). Bumps appVersion so the dev Docker image is tagged zddc:$BETA_VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade." \
-m "Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The next ZDDC beta or stable cut will overwrite this."
git push origin develop
echo "pushed chart develop bump - BMCD pipeline-dev will fire"
echo "pushed chart develop bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-dev will fire"