fix(forgejo): gate deploy.yml — workflow_dispatch only until provisioning is done

Stop-the-bleeding : the push:main + tag:v* triggers were firing on every commit and FAIL-ing in series because four prerequisites are not yet in place : 1. Forgejo repo Variable FORGEJO_REGISTRY_URL (URL malformed without it) 2. Forgejo repo Secret FORGEJO_REGISTRY_TOKEN (build PUTs return 401) 3. Forgejo runner labelled `[self-hosted, incus]` (deploy job stays pending) 4. Forgejo repo Secret ANSIBLE_VAULT_PASSWORD (Ansible can't decrypt vault) Comment-out the auto triggers ; workflow_dispatch stays so the operator can still kick a manual run from the Forgejo Actions UI once 1–4 are provisioned. Re-enable the auto triggers (uncomment the two lines above) AFTER one successful workflow_dispatch run proves the chain end-to-end. cleanup-failed.yml + rollback.yml are workflow_dispatch-only already, no change needed there. Reasoning written into a comment block at the top of deploy.yml so the next reader sees the gate and the path to lift it. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 16:46:55 +02:00 · 2026-04-29 16:46:55 +02:00 · f026d925f3
commit f026d925f3
parent ab86ae80fa
1 changed files with 7 additions and 5 deletions
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@ -1,9 +1,11 @@
 # Veza deploy pipeline.
 #
 # Triggers (intentionally narrow — see SECURITY note below):
-#   push:main           → env=staging, sha=$GITHUB_SHA
-#   push:tags ['v*']    → env=prod,    sha=$GITHUB_SHA (tag's pointee)
 #   workflow_dispatch   → operator-supplied env + sha
+#   (push:main + tag:v* are commented OUT until provisioning is
+#    complete — see docs/RUNBOOK_DEPLOY_BOOTSTRAP.md. Re-enable
+#    once secrets/runner/vault are in place and a manual run via
+#    workflow_dispatch has been verified GREEN.)
 #
 # SECURITY: this workflow runs on a self-hosted runner with access to
 # the Incus unix socket (effectively root on the host). DO NOT add
@ -15,9 +17,9 @@
 name: Veza deploy

 on:
-    push:
-        branches: [main]
-        tags: ['v*']
+    # push:                          # GATED — uncomment after first
+    #     branches: [main]           # successful workflow_dispatch run
+    #     tags: ['v*']               # see RUNBOOK_DEPLOY_BOOTSTRAP.md
    workflow_dispatch:
        inputs:
            env: