Stop-the-bleeding : the push:main + tag:v* triggers were firing on
every commit and FAIL-ing in series because four prerequisites are
not yet in place :
1. Forgejo repo Variable FORGEJO_REGISTRY_URL (URL malformed without it)
2. Forgejo repo Secret FORGEJO_REGISTRY_TOKEN (build PUTs return 401)
3. Forgejo runner labelled `[self-hosted, incus]` (deploy job stays pending)
4. Forgejo repo Secret ANSIBLE_VAULT_PASSWORD (Ansible can't decrypt vault)
Comment-out the auto triggers ; workflow_dispatch stays so the
operator can still kick a manual run from the Forgejo Actions UI
once 1–4 are provisioned. Re-enable the auto triggers (uncomment
the two lines above) AFTER one successful workflow_dispatch run
proves the chain end-to-end.
cleanup-failed.yml + rollback.yml are workflow_dispatch-only
already, no change needed there.
Reasoning written into a comment block at the top of deploy.yml so
the next reader sees the gate and the path to lift it.
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
f026d925f3