fix(ci): authenticate cargo git fetches via FORGE_TOKEN #6

Merged

sameh-farouk merged 1 commit from development_sameh into development 2026-06-02 13:28:07 +00:00

Conversation 0 Commits 1 Files changed 1 +12

sameh-farouk commented 2026-06-02 13:21:07 +00:00

Member

Copy link

Summary

hero_web_template was moved from lhumina_code to coopcloud_code/mycelium_dashboard_template_wip. The old URL (still pinned in our Cargo.lock + in hero_admin_lib's Cargo.toml) returns HTTP 301 → 401 on anonymous git fetch, which breaks cargo's libgit2 resolution. Same SHA pin (de4712aa) was building fine until the rename took effect.

Fix

Two-line workflow change:

• CARGO_NET_GIT_FETCH_WITH_CLI=true so cargo shells out to git (which can follow the 301 with auth)
• git config http.https://forge.ourworld.tf/.extraHeader "Authorization: token $FORGE_TOKEN" so every clone to forge.ourworld.tf carries the bearer — including the redirect target

No persistent credential is written to disk; config lives only in the job's ephemeral container.

Verification

• Reproduced the failure locally (curl returns 401 anon; git clone succeeds when extraHeader is set).
• Triggered lab-publish.yaml via workflow_dispatch on development_sameh (run #19, id 23923): SUCCESS, 940s.
• Confirmed fresh binaries (hero_planner_server / _admin / _web linux-musl-x86_64) uploaded to the latest release at 13:16–13:19 UTC today.

Follow-up (separate)

• Optional: upstream hero_website_framework could update hero_admin_lib's Cargo.toml to point hero_theme at the new coopcloud_code/mycelium_dashboard_template_wip URL, avoiding the redirect chain entirely for every consumer.
• Open question per June 2 meeting: do we want main branch pushes to also trigger lab-publish (producing a latest-main release)? That depends on the branch-policy decision still in flight — filing separately if/when settled.

## Summary `hero_web_template` was moved from `lhumina_code` to `coopcloud_code/mycelium_dashboard_template_wip`. The old URL (still pinned in our Cargo.lock + in `hero_admin_lib`'s Cargo.toml) returns HTTP 301 → 401 on anonymous git fetch, which breaks cargo's libgit2 resolution. Same SHA pin (`de4712aa`) was building fine until the rename took effect. ## Fix Two-line workflow change: - `CARGO_NET_GIT_FETCH_WITH_CLI=true` so cargo shells out to `git` (which can follow the 301 with auth) - `git config http.https://forge.ourworld.tf/.extraHeader "Authorization: token $FORGE_TOKEN"` so every clone to `forge.ourworld.tf` carries the bearer — including the redirect target No persistent credential is written to disk; config lives only in the job's ephemeral container. ## Verification - Reproduced the failure locally (`curl` returns 401 anon; `git clone` succeeds when extraHeader is set). - Triggered `lab-publish.yaml` via `workflow_dispatch` on `development_sameh` (run #19, id 23923): **SUCCESS**, 940s. - Confirmed fresh binaries (`hero_planner_server / _admin / _web` linux-musl-x86_64) uploaded to the `latest` release at 13:16–13:19 UTC today. ## Follow-up (separate) - Optional: upstream `hero_website_framework` could update `hero_admin_lib`'s Cargo.toml to point `hero_theme` at the new `coopcloud_code/mycelium_dashboard_template_wip` URL, avoiding the redirect chain entirely for every consumer. - Open question per June 2 meeting: do we want `main` branch pushes to also trigger lab-publish (producing a `latest-main` release)? That depends on the branch-policy decision still in flight — filing separately if/when settled.

sameh-farouk added 1 commit 2026-06-02 13:21:07 +00:00

fix(ci): authenticate cargo git fetches via FORGE_TOKEN ... ff02a8b7b3

hero_web_template returns HTTP 401 on anonymous clone despite being
marked public on Forgejo. lab-publish's cargo metadata step transitively
requires this repo via hero_admin_lib → hero_theme, so cargo can't
resolve the workspace and lab build aborts ("no Cargo.toml found"). See
CI run #18 on 977543b.

- CARGO_NET_GIT_FETCH_WITH_CLI=true so cargo shells out to the git CLI
  (libgit2 has no FORGE_TOKEN-aware credential helper here)
- git config http.https://forge.ourworld.tf/.extraHeader with
  "Authorization: token $FORGE_TOKEN" so the bearer rides every clone
  to the forge host

No persistent credential is written to disk; the config lives only in
the job's ephemeral container.

sameh-farouk merged commit bca78a1441 into development 2026-06-02 13:28:07 +00:00

sameh-farouk referenced this pull request from a commit 2026-06-02 13:28:11 +00:00

fix(ci): authenticate cargo git fetches via FORGE_TOKEN (#6)

sameh-farouk deleted branch development_sameh 2026-06-02 13:28:14 +00:00

sameh-farouk referenced this pull request 2026-06-02 13:49:56 +00:00

release: sync main with development (2026-06-02) #7

sameh-farouk referenced this pull request 2026-06-02 14:43:49 +00:00

fix(ci): set RUST_MIN_STACK=16777216 to avoid rustc SIGSEGV #8

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area:admin

Admin dashboard (hero_planner_admin)

  

area:backend

Server / RPC / store (hero_planner_server/lib)

  

area:web-ui

End-user web app (hero_planner_web)

  

bug

Something is broken or behaves incorrectly

  

enhancement

Improvement to existing functionality

  

feature-request

A new capability that does not exist yet

  

good-first-issue

Small, self-contained, clear fix

  

ux

Usability / discoverability

No labels

area:admin

area:backend

area:web-ui

bug

enhancement

feature-request

good-first-issue

ux

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_planner!6

No description provided.