Fix Forgejo push auth bootstrap

README.md

@@ -69,6 +69,9 @@ Bootstrap the app namespace, secrets, and Forgejo repo settings from this repo:
 bash scripts/deploy/bootstrap.sh
 ```
 
+That bootstrap also refreshes the local `forgejo` remote URL for HTTPS pushes
+when it has enough auth material to do so.
+
 By default, the script uses the adjacent platform checkout at `../unrip3` for:
 - `kubeconfig.yaml`
 - `kubeconfig.incluster.yaml`

scripts/deploy/bootstrap.sh

@@ -13,6 +13,7 @@ PROJECT_NAMESPACE="${PROJECT_NAMESPACE:-$PROJECT_NAME}"
 PROJECT_DEPLOYMENTS="${PROJECT_DEPLOYMENTS:-near-intents-ingest,dummy-reactor,dummy-executor,dummy-consumer}"
 PROJECT_REGISTRY_SECRET_NAME="${PROJECT_REGISTRY_SECRET_NAME:-${PROJECT_NAME}-registry-creds}"
 APP_SECRET_NAME="${APP_SECRET_NAME:-${PROJECT_NAME}-secrets}"
+SYNC_FORGEJO_REMOTE="${SYNC_FORGEJO_REMOTE:-1}"
 
 require() {
   command -v "$1" >/dev/null 2>&1 || {
@@ -174,6 +175,25 @@ python3 "$ROOT_DIR/scripts/deploy/forgejo_repo_bootstrap.py" \
   --project-registry-secret-name "$PROJECT_REGISTRY_SECRET_NAME" \
   "${forgejo_args[@]}"
 
+if [[ "$SYNC_FORGEJO_REMOTE" == "1" ]]; then
+  : "${FORGEJO_PUSH_USERNAME:=${FORGEJO_API_USERNAME:-$FORGEJO_REPO_OWNER}}"
+  : "${FORGEJO_PUSH_PASSWORD:=${FORGEJO_ADMIN_PASSWORD:-${FORGEJO_API_PASSWORD:-}}}"
+
+  if [[ -n "${FORGEJO_PUSH_USERNAME:-}" && -n "${FORGEJO_PUSH_PASSWORD:-}" ]]; then
+    push_url="$(
+      python3 - "$FORGEJO_URL" "$FORGEJO_REPO_OWNER" "$FORGEJO_REPO_NAME" "$FORGEJO_PUSH_USERNAME" "$FORGEJO_PUSH_PASSWORD" <<'PY'
+import sys
+from urllib.parse import quote
+
+base_url, owner, repo, username, password = sys.argv[1:]
+print(f"{base_url.rstrip('/')}".replace('://', f'://{quote(username, safe="")}:{quote(password, safe="")}@') + f'/{owner}/{repo}.git')
+PY
+    )"
+    git -C "$ROOT_DIR" remote set-url "$FORGEJO_REMOTE_NAME" "$push_url"
+    echo "updated git remote $FORGEJO_REMOTE_NAME for HTTPS push auth"
+  fi
+fi
+
 cat <<EOF
 bootstrap complete