Sticky PR comment step times out connecting to forge.wynning.tech #104
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#104
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
First post-#68 PR run hit a connect timeout in the OSV scanner's
Post sticky PR commentstep:104.21.*and172.67.*are well-known Cloudflare anycast ranges, and2606:4700::/32is Cloudflare's IPv6 block. The runner is trying to reachforge.wynning.tech(CF-fronted) and the connection never completes — same network-topology issue we hit in #75 for the registry push, where the runner is inside the network and can't hairpin back through CF to its own server.Run that produced the error: https://forge.wynning.tech/james/carol/actions/runs/126/jobs/7/attempt/1.
This isn't a payload-size issue (the API calls are small JSON, well under any CF body limit). It's a reachability issue — the runner physically cannot establish a TLS handshake to the CF edge.
Why the release workflow's similar curl-to-API call hasn't failed
release.yml's "Create Forgejo release" step usescurland reaches the sameforge.wynning.techAPI. It's been succeeding on every tag push so far. Plausible explanations: different default timeouts, route luck, or this is also flaky and we just haven't caught it yet. Worth fixing release.yml the same way to be safe, but the urgent fix is the scanner steps that just regressed.Fix
Mirror the
PUSH_REGISTRY/PUBLIC_REGISTRYsplit from #76:FORGEJO_API_URLenv var thatscripts/ci/post-pr-comment.mjsprefers overGITHUB_SERVER_URL. Falls back toGITHUB_SERVER_URLso a self-hoster forking this workflow into a non-CF environment doesn't have to set it.FORGEJO_API_URL: https://forge.int.wynning.techto each scanner'sPost sticky PR commentstep env block inpr.yml(three steps) andsecrets.yml(one step).release.yml's "Create Forgejo release" step, preemptively.docs/ci.md"Sticky PR comments" → "Required token scope" section (alongside the existing token-scope note).Acceptance criteria
Post sticky PR commentstep completes without a connect timeout.release.yml's next tag push hits the API via the internal URL too (preemptive).docs/ci.mdmentions theFORGEJO_API_URLoverride and explains when a self-hoster would set it (CF or other reverse-proxy-fronted Forgejo deployments where the runner can't reach the public URL).Part of epic #2. Follow-up from #68, mirrors #75.