CI clone fails with TLS error — needs internal k8s service URL #214

New issue

Closed

opened 2026-03-25 13:37:52 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-25 13:37:52 +00:00

Owner

Type

Feature

Lineage

Standalone — no plan. Mirrors pal-e-platform PR #134 fix.

Repo

forgejo_admin/pal-e-docs

User Story

As a developer
I want CI pipelines to clone via the internal k8s service URL
So that pipelines stop failing with TLS errors on the external Tailscale URL

Context

Woodpecker pipelines 40-43 all fail at the clone step with:

fatal: unable to access 'https://forgejo.../pal-e-docs.git/': TLS connect error: error:0A000126:SSL routines::unexpected eof while reading

The default Woodpecker clone uses the external HTTPS/Tailscale URL. This was already fixed in pal-e-platform (PR #134) by adding a custom clone block that uses the internal k8s service URL: http://forgejo-http.forgejo.svc.cluster.local:80/. The same fix needs to be applied here.

File Targets

Files the agent should modify:

.woodpecker.yaml -- add custom clone block with internal service URL

Files the agent should NOT touch:

src/ -- no application code changes needed

Acceptance Criteria

When a pipeline runs, it clones via http://forgejo-http.forgejo.svc.cluster.local:80/ instead of the external HTTPS URL
When a PR pipeline runs, the forgejo_token secret is available for clone auth

Test Expectations

Next pipeline after merge clones successfully
PR-triggered pipelines also clone successfully
Run command: trigger a pipeline manually or push a commit

Constraints

Must match the clone pattern from pal-e-platform .woodpecker.yaml
The forgejo_token Woodpecker secret must have pull_request event access

Checklist

PR opened
Tests pass
No unrelated changes

pal-e-platform -- PR #134 established this pattern

### Type Feature ### Lineage Standalone — no plan. Mirrors pal-e-platform PR #134 fix. ### Repo `forgejo_admin/pal-e-docs` ### User Story As a developer I want CI pipelines to clone via the internal k8s service URL So that pipelines stop failing with TLS errors on the external Tailscale URL ### Context Woodpecker pipelines 40-43 all fail at the clone step with: ``` fatal: unable to access 'https://forgejo.../pal-e-docs.git/': TLS connect error: error:0A000126:SSL routines::unexpected eof while reading ``` The default Woodpecker clone uses the external HTTPS/Tailscale URL. This was already fixed in pal-e-platform (PR #134) by adding a custom clone block that uses the internal k8s service URL: `http://forgejo-http.forgejo.svc.cluster.local:80/`. The same fix needs to be applied here. ### File Targets Files the agent should modify: - `.woodpecker.yaml` -- add custom clone block with internal service URL Files the agent should NOT touch: - `src/` -- no application code changes needed ### Acceptance Criteria - [ ] When a pipeline runs, it clones via `http://forgejo-http.forgejo.svc.cluster.local:80/` instead of the external HTTPS URL - [ ] When a PR pipeline runs, the `forgejo_token` secret is available for clone auth ### Test Expectations - [ ] Next pipeline after merge clones successfully - [ ] PR-triggered pipelines also clone successfully - Run command: trigger a pipeline manually or push a commit ### Constraints - Must match the clone pattern from pal-e-platform `.woodpecker.yaml` - The `forgejo_token` Woodpecker secret must have `pull_request` event access ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `pal-e-platform` -- PR #134 established this pattern