e004e18738
After running the new bootstrap on a fresh machine, three issues
surfaced that block phase 1–3 :
1. .forgejo/workflows/ may live under workflows.disabled/
The parallel session (5e1e2bd7) renamed the directory to
stop-the-bleeding rather than just commenting the trigger.
verify-local.sh now reports both states correctly.
enable-auto-deploy.sh does `git mv workflows.disabled
workflows` first, then proceeds to uncomment if needed.
2. Forgejo on 10.0.20.105:3000 serves a self-signed cert
First-run, before the edge HAProxy + LE are up, the bootstrap
has to talk to Forgejo via the LAN IP. lib.sh's forgejo_api
helper now honours FORGEJO_INSECURE=1 (passes -k to curl).
verify-local.sh's API checks pick up the same flag.
.env.example documents the swap : FORGEJO_INSECURE=1 with
https://10.0.20.105:3000 first ; flip to https://forgejo.talas.group
+ FORGEJO_INSECURE=0 once the edge HAProxy + LE cert are up.
3. SSH defaults wrong for the actual environment
.env.example previously suggested R720_USER=ansible (the
inventory's Ansible user) but the operator's local SSH config
uses senke@srv-102v. Updated defaults : R720_HOST=srv-102v,
R720_USER=senke. Operator can leave R720_USER blank if their
SSH alias already carries User=.
Plus two new helper scripts :
reset-vault.sh — recovery path when the vault password in
.vault-pass doesn't match what encrypted vault.yml. Confirms
destructively, removes vault.yml + .vault-pass, clears the
vault=DONE marker in local.state, points operator at PHASE=2.
verify-remote-ssh.sh — wrapper that scp's lib.sh +
verify-remote.sh to the R720 and runs verify-remote.sh under
sudo. Removes the need to clone the repo on the R720.
bootstrap-local.sh's phase 2 vault-decrypt failure now hints at
reset-vault.sh.
README.md troubleshooting section expanded with the four common
failure modes (SSH alias wrong, vault mismatch, Forgejo TLS
self-signed, dehydrated port 80 not reachable).
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
71 lines
2.6 KiB
Bash
Executable file
71 lines
2.6 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# enable-auto-deploy.sh — re-enable Forgejo Actions deploy workflow.
|
|
#
|
|
# Two scenarios :
|
|
# A. .forgejo/workflows.disabled/ exists (current state on this branch)
|
|
# → rename back to .forgejo/workflows/, then ensure deploy.yml's
|
|
# push: trigger is uncommented.
|
|
# B. .forgejo/workflows/deploy.yml exists with push: commented out
|
|
# → just uncomment.
|
|
#
|
|
# Run AFTER one successful workflow_dispatch run has proven the chain
|
|
# end-to-end.
|
|
|
|
set -Eeuo pipefail
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
. "$SCRIPT_DIR/lib.sh"
|
|
trap_errors
|
|
|
|
REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel) || die "not in a git repo"
|
|
|
|
WF_DIR="$REPO_ROOT/.forgejo/workflows"
|
|
WF_DISABLED="$REPO_ROOT/.forgejo/workflows.disabled"
|
|
|
|
# --- Step 1 : if workflows are renamed-disabled, restore the directory. -------
|
|
if [[ -d "$WF_DISABLED" ]]; then
|
|
if [[ -d "$WF_DIR" ]]; then
|
|
die "BOTH $WF_DIR and $WF_DISABLED exist — manual cleanup needed"
|
|
fi
|
|
info "rename $WF_DISABLED → $WF_DIR"
|
|
git -C "$REPO_ROOT" mv .forgejo/workflows.disabled .forgejo/workflows
|
|
ok "directory restored"
|
|
fi
|
|
|
|
DEPLOY_YML="$WF_DIR/deploy.yml"
|
|
require_file "$DEPLOY_YML"
|
|
|
|
# --- Step 2 : if push: trigger is commented, uncomment it. --------------------
|
|
if grep -qE '^[[:space:]]+push:$' "$DEPLOY_YML"; then
|
|
ok "auto-deploy trigger already active in deploy.yml"
|
|
else
|
|
if ! grep -qE '^[[:space:]]+# push:' "$DEPLOY_YML"; then
|
|
die "deploy.yml has neither active push: nor commented '# push:' — manual edit required"
|
|
fi
|
|
info "uncommenting push: + branches: + tags: in $DEPLOY_YML"
|
|
sed -i \
|
|
-e 's|^ # push: # GATED — uncomment after first| push:|' \
|
|
-e 's|^ # branches: \[main\] # successful workflow_dispatch run| branches: [main]|' \
|
|
-e "s|^ # tags: \\['v\\*'\\] # see RUNBOOK_DEPLOY_BOOTSTRAP.md| tags: ['v*']|" \
|
|
"$DEPLOY_YML"
|
|
|
|
if ! grep -qE '^[[:space:]]+push:$' "$DEPLOY_YML"; then
|
|
die "sed didn't apply — open $DEPLOY_YML and uncomment by hand"
|
|
fi
|
|
ok "trigger uncommented"
|
|
fi
|
|
|
|
# --- Step 3 : prompt to commit + push. ----------------------------------------
|
|
info "diff:"
|
|
git -C "$REPO_ROOT" --no-pager diff -- "$WF_DIR" >&2 || true
|
|
|
|
cat >&2 <<EOF
|
|
|
|
Next step :
|
|
cd $REPO_ROOT
|
|
git add .forgejo/
|
|
git commit --no-verify -m "feat(forgejo): re-enable auto-deploy"
|
|
git push origin main
|
|
|
|
The push itself triggers the first auto-deploy. Watch :
|
|
${FORGEJO_API_URL:-https://10.0.20.105:3000}/${FORGEJO_OWNER:-senke}/${FORGEJO_REPO:-veza}/actions
|
|
EOF
|