lhumina_code/home
23
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

[ci] actions/checkout@v4 has intermittent auth bug against forge.ourworld.tf — document workaround #200

New issue
Closed
opened 2026-04-28 02:45:56 +00:00 by mik-tf · 1 comment
mik-tf commented 2026-04-28 02:45:56 +00:00
Owner
Copy link

Symptom

On some lhumina_code repos, actions/checkout@v4 fails on PR checkout with:

fatal: could not read Username for 'https://forge.ourworld.tf': terminal prompts disabled

Even when:

  • FORGEJO_TOKEN secret IS set at the org or repo level
  • ${{ secrets.FORGEJO_TOKEN }} clearly reaches the workflow (verified by debug step: token length 40, valid hex)
  • The token works for direct API + git clone — curl -H 'Authorization: token $TOKEN' /api/v1/user returns 200 and git clone https://oauth2:$TOKEN@forge.ourworld.tf/... succeeds inside the runner
  • The workflow uses explicit with: token: ${{ secrets.FORGEJO_TOKEN }}

Affected repos (as of 2026-04-28)

  • hero_cluster
  • hero_web_template
  • hero_foundry_ui
  • hero_ledger
  • hero_editor

Unaffected repos using same actions/checkout@v4

  • hero_archipelagos
  • hero_skills
  • hero_aibroker
  • hero_browser
  • hero_coordinator (after fix)

Root cause (best understanding)

actions/checkout@v4 uses git config http.<url>.extraheader "AUTHORIZATION: basic <base64(x-access-token:TOKEN)>" for auth. Against forge.ourworld.tf this works in some contexts and not others — likely depends on per-repo runner state, action cache, or something Forgejo-runner-specific that I haven't been able to isolate. The workaround is reliable; the action behavior is not.

Reliable workaround — manual clone

Replace:

- name: Checkout
  uses: actions/checkout@v4

with:

- name: Checkout (manual clone — actions/checkout@v4 Forgejo auth bug)
  run: |
    set -e
    TOKEN="${{ secrets.FORGEJO_TOKEN }}"
    REPO="lhumina_code/<this-repo>"
    REF="${{ github.event.pull_request.head.sha || github.sha }}"
    rm -rf .git ./* ./.[!.]* 2>/dev/null || true
    git clone --depth 1 "https://oauth2:$TOKEN@forge.ourworld.tf/$REPO.git" .
    if [ -n "$REF" ] && ! git rev-parse --verify "$REF" >/dev/null 2>&1; then
      git fetch --depth 1 "https://oauth2:$TOKEN@forge.ourworld.tf/$REPO.git" "$REF"
      git checkout "$REF"
    fi
    echo "Checked out $(git rev-parse HEAD)"

Needs FORGEJO_TOKEN secret (org or repo level) holding a Forgejo PAT with read:repository scope. Same shape as the cross-repo deps clone step that already lives in many of these workflows, so no new auth surface.

Applied today on hero_cluster (development_mik) and hero_editor (development_mik).

Action items

  • Apply the manual-clone workaround to the remaining affected repos (hero_web_template, hero_foundry_ui, hero_ledger).
  • When upstream actions/checkout ships a Forgejo-compatible release, revert to the canonical uses: actions/checkout@v4 form and close this issue.

Signed-off-by: mik-tf

## Symptom On some lhumina_code repos, `actions/checkout@v4` fails on PR checkout with: ``` fatal: could not read Username for 'https://forge.ourworld.tf': terminal prompts disabled ``` Even when: * `FORGEJO_TOKEN` secret IS set at the org or repo level * `${{ secrets.FORGEJO_TOKEN }}` clearly reaches the workflow (verified by debug step: token length 40, valid hex) * The token works for direct API + git clone — `curl -H 'Authorization: token $TOKEN' /api/v1/user` returns 200 and `git clone https://oauth2:$TOKEN@forge.ourworld.tf/...` succeeds inside the runner * The workflow uses explicit `with: token: ${{ secrets.FORGEJO_TOKEN }}` ## Affected repos (as of 2026-04-28) * hero_cluster * hero_web_template * hero_foundry_ui * hero_ledger * hero_editor ## Unaffected repos using same `actions/checkout@v4` * hero_archipelagos * hero_skills * hero_aibroker * hero_browser * hero_coordinator (after fix) ## Root cause (best understanding) `actions/checkout@v4` uses `git config http.<url>.extraheader "AUTHORIZATION: basic <base64(x-access-token:TOKEN)>"` for auth. Against forge.ourworld.tf this works in some contexts and not others — likely depends on per-repo runner state, action cache, or something Forgejo-runner-specific that I haven't been able to isolate. The workaround is reliable; the action behavior is not. ## Reliable workaround — manual clone Replace: ```yaml - name: Checkout uses: actions/checkout@v4 ``` with: ```yaml - name: Checkout (manual clone — actions/checkout@v4 Forgejo auth bug) run: | set -e TOKEN="${{ secrets.FORGEJO_TOKEN }}" REPO="lhumina_code/<this-repo>" REF="${{ github.event.pull_request.head.sha || github.sha }}" rm -rf .git ./* ./.[!.]* 2>/dev/null || true git clone --depth 1 "https://oauth2:$TOKEN@forge.ourworld.tf/$REPO.git" . if [ -n "$REF" ] && ! git rev-parse --verify "$REF" >/dev/null 2>&1; then git fetch --depth 1 "https://oauth2:$TOKEN@forge.ourworld.tf/$REPO.git" "$REF" git checkout "$REF" fi echo "Checked out $(git rev-parse HEAD)" ``` Needs `FORGEJO_TOKEN` secret (org or repo level) holding a Forgejo PAT with `read:repository` scope. Same shape as the cross-repo deps clone step that already lives in many of these workflows, so no new auth surface. Applied today on hero_cluster (development_mik) and hero_editor (development_mik). ## Action items * [ ] Apply the manual-clone workaround to the remaining affected repos (hero_web_template, hero_foundry_ui, hero_ledger). * [ ] When upstream `actions/checkout` ships a Forgejo-compatible release, revert to the canonical `uses: actions/checkout@v4` form and close this issue. Signed-off-by: mik-tf
mik-tf commented 2026-04-28 02:49:33 +00:00
Author
Owner
Copy link

Documented in hero_skills

The workaround + the broader CI patterns this week surfaced are now in hero_skills/tools/docs/forgejo_ci.md (PR #145) — that's the canonical place for cross-repo CI patterns.

This issue stays as the lightweight tracker for the actions/checkout@v4 upstream bug specifically; close it when the action ships a Forgejo-compatible release and the manual-clone workaround can be reverted.

Signed-off-by: mik-tf

## Documented in hero_skills The workaround + the broader CI patterns this week surfaced are now in [`hero_skills/tools/docs/forgejo_ci.md`](https://forge.ourworld.tf/lhumina_code/hero_skills/src/branch/development_mik/tools/docs/forgejo_ci.md) (PR [#145](https://forge.ourworld.tf/lhumina_code/hero_skills/pulls/145)) — that's the canonical place for cross-repo CI patterns. This issue stays as the lightweight tracker for the `actions/checkout@v4` upstream bug specifically; close it when the action ships a Forgejo-compatible release and the manual-clone workaround can be reverted. Signed-off-by: mik-tf
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/home#200
No description provided.