fix: add auth header to wget for private repo download #128

Merged

forgejo_admin merged 1 commit from 226-fix-wget-auth into main 2026-03-28 16:44:50 +00:00

Conversation 1 Commits 1 Files changed 1 +1

forgejo_admin commented 2026-03-28 16:32:03 +00:00

Owner

Copy link

Summary

• The update-kustomize-tag CI step downloads update-kustomize-tag.sh from pal-e-platform via wget, but gets a 404 because the repo is private
• Added Authorization: token header using the existing FORGEJO_TOKEN secret

Changes

• .woodpecker.yaml: added --header="Authorization: token ${FORGEJO_TOKEN}" to the wget command in the update-kustomize-tag step

Test Plan

• Merge and trigger a main-branch pipeline
• The update-kustomize-tag step downloads the script successfully instead of 404ing
• No regressions in validate or build-and-push steps

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related Notes

• Closes forgejo_admin/pal-e-platform#226
• pal-e-platform — the parent repo whose private raw endpoint requires auth

## Summary - The `update-kustomize-tag` CI step downloads `update-kustomize-tag.sh` from pal-e-platform via wget, but gets a 404 because the repo is private - Added `Authorization: token` header using the existing `FORGEJO_TOKEN` secret ## Changes - `.woodpecker.yaml`: added `--header="Authorization: token ${FORGEJO_TOKEN}"` to the wget command in the `update-kustomize-tag` step ## Test Plan - [ ] Merge and trigger a main-branch pipeline - [ ] The `update-kustomize-tag` step downloads the script successfully instead of 404ing - [ ] No regressions in validate or build-and-push steps ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes forgejo_admin/pal-e-platform#226 - `pal-e-platform` — the parent repo whose private raw endpoint requires auth

forgejo_admin added 1 commit 2026-03-28 16:32:03 +00:00

fix: add auth header to wget for private pal-e-platform repo ... 65c8c333e2

The update-kustomize-tag.sh download fails with 404 because
pal-e-platform is a private repo. Add Authorization header using
the existing FORGEJO_TOKEN secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-28 16:32:53 +00:00

Author

Owner

Copy link

QA Review

Diff: +1 line, 0 deletions, 1 file changed (.woodpecker.yaml)

Findings

1. Auth header correctness -- --header="Authorization: token ${FORGEJO_TOKEN}" is the correct Forgejo API token auth format for raw file downloads. Confirmed.
2. Secret availability -- FORGEJO_TOKEN is already defined in the step's environment block via from_secret: forgejo_token. No new secrets needed.
3. wget flag placement -- The --header flag is placed between -O /tmp/... and the URL, which is valid wget syntax. Multi-line continuation with indentation matches the existing YAML style.
4. No scope creep -- Only the wget line is touched. No other steps, images, or config changed.
5. No secrets exposed -- The token is injected at runtime from Woodpecker secrets, not hardcoded.

SOP Compliance

• Single-purpose PR matching issue scope
• PR body has all required sections
• Closes reference links to parent issue (forgejo_admin/pal-e-platform#226)
• Commit message is descriptive

VERDICT: APPROVE -- Minimal, correct fix. No issues found.

## QA Review **Diff:** +1 line, 0 deletions, 1 file changed (`.woodpecker.yaml`) ### Findings 1. **Auth header correctness** -- `--header="Authorization: token ${FORGEJO_TOKEN}"` is the correct Forgejo API token auth format for raw file downloads. Confirmed. 2. **Secret availability** -- `FORGEJO_TOKEN` is already defined in the step's `environment` block via `from_secret: forgejo_token`. No new secrets needed. 3. **wget flag placement** -- The `--header` flag is placed between `-O /tmp/...` and the URL, which is valid wget syntax. Multi-line continuation with indentation matches the existing YAML style. 4. **No scope creep** -- Only the wget line is touched. No other steps, images, or config changed. 5. **No secrets exposed** -- The token is injected at runtime from Woodpecker secrets, not hardcoded. ### SOP Compliance - [x] Single-purpose PR matching issue scope - [x] PR body has all required sections - [x] Closes reference links to parent issue (forgejo_admin/pal-e-platform#226) - [x] Commit message is descriptive VERDICT: **APPROVE** -- Minimal, correct fix. No issues found.

forgejo_admin merged commit bbda0c8eac into main 2026-03-28 16:44:50 +00:00

forgejo_admin deleted branch 226-fix-wget-auth 2026-03-28 16:44:50 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-28 16:44:50 +00:00

fix: add auth header to wget for private repo download (#128)

forgejo_admin referenced this pull request 2026-03-28 16:57:38 +00:00

fix: use YAML block scalar for wget auth header #134

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

No labels

domain:backend

domain:devops

domain:frontend

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-app!128

No description provided.