fix: dispatch deploy via INFRA_DISPATCH_TOKEN instead of FORGEJO_TOKEN #7

Merged

rcsheets merged 1 commit from fix/cross-repo-dispatch-token into main 2026-04-30 10:08:06 +00:00

Conversation 0 Commits 1 Files changed 1 +16 -8

rcsheets commented 2026-04-30 10:08:01 +00:00

Owner

Copy link

Since Forgejo 15.0, secrets.FORGEJO_TOKEN is treated as a reserved
name — defining a repo secret with that name no longer overrides the
runner-injected forgejo-actions token, and that auto-token is scoped
to the repo running the workflow, so cross-repo workflow dispatch
returns 404.

Switch the deploy dispatch step to read from secrets.INFRA_DISPATCH_TOKEN
(a PAT with write:repository scope on brooktrails/infra) and fail loudly
with a pointed error if it isn't configured. The existing FORGEJO_TOKEN-
backed steps (checkout, tag fetch, tag push) keep using the auto-token
because they only operate on this repo. The whoami diagnostic step now
identifies the dispatch token, which is the one whose identity actually
matters when the dispatch goes wrong.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Since Forgejo 15.0, secrets.FORGEJO_TOKEN is treated as a reserved name — defining a repo secret with that name no longer overrides the runner-injected forgejo-actions token, and that auto-token is scoped to the repo running the workflow, so cross-repo workflow dispatch returns 404. Switch the deploy dispatch step to read from secrets.INFRA_DISPATCH_TOKEN (a PAT with write:repository scope on brooktrails/infra) and fail loudly with a pointed error if it isn't configured. The existing FORGEJO_TOKEN- backed steps (checkout, tag fetch, tag push) keep using the auto-token because they only operate on this repo. The whoami diagnostic step now identifies the dispatch token, which is the one whose identity actually matters when the dispatch goes wrong. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

rcsheets added 1 commit 2026-04-30 10:08:01 +00:00

fix: dispatch deploy via INFRA_DISPATCH_TOKEN instead of FORGEJO_TOKEN ... 2e156428f6

Since Forgejo 15.0, secrets.FORGEJO_TOKEN is treated as a reserved
name — defining a repo secret with that name no longer overrides the
runner-injected forgejo-actions token, and that auto-token is scoped
to the repo running the workflow, so cross-repo workflow dispatch
returns 404.

Switch the deploy dispatch step to read from secrets.INFRA_DISPATCH_TOKEN
(a PAT with write:repository scope on brooktrails/infra) and fail loudly
with a pointed error if it isn't configured. The existing FORGEJO_TOKEN-
backed steps (checkout, tag fetch, tag push) keep using the auto-token
because they only operate on this repo. The whoami diagnostic step now
identifies the dispatch token, which is the one whose identity actually
matters when the dispatch goes wrong.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

rcsheets merged commit 362f4a8e5d into main 2026-04-30 10:08:06 +00:00

rcsheets deleted branch fix/cross-repo-dispatch-token 2026-04-30 10:08:06 +00:00

rcsheets referenced this pull request from a commit 2026-04-30 10:08:08 +00:00

Merge pull request 'fix: dispatch deploy via INFRA_DISPATCH_TOKEN instead of FORGEJO_TOKEN' (#7) from fix/cross-repo-dispatch-token into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

brooktrails/brooktrails-web!7

No description provided.