Fix PyPI publish: use internal Forgejo URL for twine upload #16

New issue

Closed

opened 2026-03-06 15:33:34 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-06 15:33:34 +00:00

Owner

Plan

todo-woodpecker-tls-clone-fix -- same TLS funnel root cause

Repo

forgejo_admin/pal-e-docs-mcp

User Story

As a platform operator
I want the twine publish step to upload packages to Forgejo PyPI via the internal k8s service
So that package uploads stop failing with TLS EOF errors through the Tailscale funnel

Context

The Woodpecker pipeline's publish step uses twine to upload to a Forgejo PyPI registry. The URL comes from the FORGEJO_PYPI_URL environment variable (sourced from a Woodpecker secret). This URL points to the external Tailscale funnel which causes TLS EOF from inside the cluster.

The fix: change the publish step to use the internal Forgejo URL directly in the commands instead of relying on the secret, OR override the environment variable in the YAML to use http://forgejo-http.forgejo.svc.cluster.local.

Pipeline #21 shows: clone SUCCESS, lint SUCCESS, publish FAILURE.

File Targets

Files the agent should modify:

.woodpecker.yml -- change the FORGEJO_PYPI_URL environment source from from_secret to a hardcoded internal URL: http://forgejo-http.forgejo.svc.cluster.local/api/packages/forgejo_admin/pypi

Files the agent should NOT touch:

Any other files

Acceptance Criteria

publish step uses the internal Forgejo URL for PyPI uploads
All other settings (credentials, build commands) are unchanged

Test Expectations

Push to main triggers a successful pipeline (all steps pass)
YAML syntax: validate with python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yml'))"

Constraints

Only change the PyPI URL -- nothing else
Do NOT access pal-e-docs MCP tools

Checklist

PR opened
No unrelated changes

todo-woodpecker-tls-clone-fix -- root cause documentation
project-pal-e-platform -- platform stability
Issue #14 -- clone fix (same root cause)

### Plan `todo-woodpecker-tls-clone-fix` -- same TLS funnel root cause ### Repo `forgejo_admin/pal-e-docs-mcp` ### User Story As a platform operator I want the twine publish step to upload packages to Forgejo PyPI via the internal k8s service So that package uploads stop failing with TLS EOF errors through the Tailscale funnel ### Context The Woodpecker pipeline's `publish` step uses twine to upload to a Forgejo PyPI registry. The URL comes from the `FORGEJO_PYPI_URL` environment variable (sourced from a Woodpecker secret). This URL points to the external Tailscale funnel which causes TLS EOF from inside the cluster. The fix: change the `publish` step to use the internal Forgejo URL directly in the commands instead of relying on the secret, OR override the environment variable in the YAML to use `http://forgejo-http.forgejo.svc.cluster.local`. Pipeline #21 shows: clone SUCCESS, lint SUCCESS, publish FAILURE. ### File Targets Files the agent should modify: - `.woodpecker.yml` -- change the `FORGEJO_PYPI_URL` environment source from `from_secret` to a hardcoded internal URL: `http://forgejo-http.forgejo.svc.cluster.local/api/packages/forgejo_admin/pypi` Files the agent should NOT touch: - Any other files ### Acceptance Criteria - [ ] `publish` step uses the internal Forgejo URL for PyPI uploads - [ ] All other settings (credentials, build commands) are unchanged ### Test Expectations - [ ] Push to main triggers a successful pipeline (all steps pass) - YAML syntax: validate with `python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yml'))"` ### Constraints - Only change the PyPI URL -- nothing else - Do NOT access pal-e-docs MCP tools ### Checklist - [ ] PR opened - [ ] No unrelated changes ### Related - `todo-woodpecker-tls-clone-fix` -- root cause documentation - `project-pal-e-platform` -- platform stability - Issue #14 -- clone fix (same root cause)