fix(ci): route scanner-comment API calls via internal Forgejo URL (#104) #107
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!107
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "99-forgejo-api-url-override"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #104.
What happened
OSV scanner's
Post sticky PR commentstep timed out on the first PR run after #68 landed:The three addresses are Cloudflare anycast IPs. The runner is inside the same network the Forgejo server lives in, and can't hairpin back through CF to its own public hostname — exact same network-topology issue that drove #76 to use
forge.int.wynning.techfor the container push.Fix
scripts/ci/post-pr-comment.mjsnow readsFORGEJO_API_URLand prefers it over the auto-injectedGITHUB_SERVER_URL. Falls back toGITHUB_SERVER_URLso a self-hoster forking this workflow into a non-CF deployment doesn't need to set anything..forgejo/workflows/pr.yml— each of the three scannerPost sticky PR commentsteps (npm/osv/trivy) setsFORGEJO_API_URL: https://forge.int.wynning.techin its env block..forgejo/workflows/secrets.yml— same for the gitleaks scanner's post step..forgejo/workflows/release.yml—Create Forgejo releasestep swapped from${{ github.server_url }}to a step-localAPI_URL: https://forge.int.wynning.tech, preemptive (that call had been working but the root cause is identical and worth fixing before it does fail).docs/ci.md— new "Forgejo API URL (FORGEJO_API_URL)" subsection under "Sticky PR comments" explaining when a self-hoster would set / unset it.Test plan
actionlint .forgejo/workflows/*.yml— clean.node --check scripts/ci/post-pr-comment.mjs— clean.Post sticky PR commentsteps complete without a connect timeout. (CI on this PR is the test — the script runs against this PR's own scanner output.)Create Forgejo releasestep still creates the release page, now via the internal API endpoint.Why not just retry on timeout?
A retry loop would buy us a few extra seconds of "maybe CF is having a moment" — but the root cause is reachability, not transient flakiness. The runner physically cannot establish TLS to the CF edge from inside the network. A retry would always fail. The internal URL is the only durable fix.