forgejo_admin/pal-e-platform
1
0
Fork 1
Code Issues 33 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Spike: CI bootstrap resilience — merge path when CI is broken #125

New issue
Closed
opened 2026-03-21 15:03:08 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-21 15:03:08 +00:00
Owner
Copy link

Type

Spike

Lineage

plan-pal-e-platform → Platform Hardening — standalone, emerged from incident (PR #124 force merge)

Repo

forgejo_admin/pal-e-platform + forgejo_admin/pal-e-services

Question

What is the enterprise-grade solution for merging platform fixes when CI itself is broken? Specifically: how do we avoid force: true merges while still having required CI checks?

What to Explore

  • Forgejo branch protection: Does the Terraform Forgejo provider support "allow admin bypass" for required checks? Check pal-e-services/terraform/ for branch protection config.
  • Woodpecker clone resilience: Can the clone step fall back from internal URL to external URL if internal fails? Is there a retry/backoff option?
  • CI bypass label: Can Forgejo be configured to skip required checks when a specific label (e.g., ci:bootstrap-fix) is applied? Is this a branch protection feature or would it need a Woodpecker plugin?
  • Separation of concerns: Is it architecturally possible to decouple Woodpecker from the Forgejo it's testing on a single-node cluster? Evaluate the trade-offs.
  • Precedent: How do GitLab, GitHub, and other platforms handle this? Is "allow admin merge" the industry standard?

Success Criteria

  • Question answered with evidence — recommended approach documented
  • Trade-offs of each option evaluated (security vs. resilience vs. complexity)
  • Follow-up feature ticket created with the chosen approach
  • Or: "admin bypass" is sufficient and just needs IaC config

Time-box

1 session. If no clear answer, document findings and escalate.

Related

  • pal-e-platform — project board
  • Issue #121 — the Forgejo IPv4 incident that exposed this gap
  • PR #124 — force merged to break the chicken-and-egg cycle
### Type Spike ### Lineage `plan-pal-e-platform` → Platform Hardening — standalone, emerged from incident (PR #124 force merge) ### Repo `forgejo_admin/pal-e-platform` + `forgejo_admin/pal-e-services` ### Question What is the enterprise-grade solution for merging platform fixes when CI itself is broken? Specifically: how do we avoid `force: true` merges while still having required CI checks? ### What to Explore - **Forgejo branch protection:** Does the Terraform Forgejo provider support "allow admin bypass" for required checks? Check `pal-e-services/terraform/` for branch protection config. - **Woodpecker clone resilience:** Can the clone step fall back from internal URL to external URL if internal fails? Is there a retry/backoff option? - **CI bypass label:** Can Forgejo be configured to skip required checks when a specific label (e.g., `ci:bootstrap-fix`) is applied? Is this a branch protection feature or would it need a Woodpecker plugin? - **Separation of concerns:** Is it architecturally possible to decouple Woodpecker from the Forgejo it's testing on a single-node cluster? Evaluate the trade-offs. - **Precedent:** How do GitLab, GitHub, and other platforms handle this? Is "allow admin merge" the industry standard? ### Success Criteria - [ ] Question answered with evidence — recommended approach documented - [ ] Trade-offs of each option evaluated (security vs. resilience vs. complexity) - [ ] Follow-up feature ticket created with the chosen approach - [ ] Or: "admin bypass" is sufficient and just needs IaC config ### Time-box 1 session. If no clear answer, document findings and escalate. ### Related - `pal-e-platform` — project board - Issue #121 — the Forgejo IPv4 incident that exposed this gap - PR #124 — force merged to break the chicken-and-egg cycle
forgejo_admin commented 2026-03-22 18:23:22 +00:00
Author
Owner
Copy link

Scope Review: READY

Review note: review-231-2026-03-22
Spike scope is well-defined and time-boxed. All exploration targets verified. Bonus finding: branch protection is NOT in IaC anywhere (forgejo_repository_branch_protection resources absent from pal-e-services). Clone step uses internal URL only with no fallback -- validates the spike's premise. Points=3 appropriate.

## Scope Review: READY Review note: `review-231-2026-03-22` Spike scope is well-defined and time-boxed. All exploration targets verified. Bonus finding: branch protection is NOT in IaC anywhere (`forgejo_repository_branch_protection` resources absent from pal-e-services). Clone step uses internal URL only with no fallback -- validates the spike's premise. Points=3 appropriate.
forgejo_admin 2026-03-22 19:04:55 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
3-westside-ai-assistant-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-platform#125
No description provided.