From 6f41de71fa7ada222ee0cf0b646065f6c93a133b Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 12 Jun 2026 22:32:08 +0000
Subject: [PATCH] offinfra-onboard: normalize Woodpecker repo to untrusted [ci
 skip]

Trusted repos get netrc injected into every step container; the
non-root bitnami/kubectl deploy step dies with '//.netrc: Permission
denied' (hit live on f1-stream's reactivated old-era repo 10, which
carried trusted=true; tripit 167 is untrusted and works).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 scripts/offinfra-onboard | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/scripts/offinfra-onboard b/scripts/offinfra-onboard
index d8115d78..28f8971f 100755
--- a/scripts/offinfra-onboard
+++ b/scripts/offinfra-onboard
@@ -132,6 +132,16 @@ else
   log "Woodpecker repo id = $WP_REPO_ID"
 fi
 
+# Normalize repo settings: TRUSTED repos get netrc injected into EVERY step
+# container; bitnami/kubectl (non-root, HOME=/) then dies with
+# "//.netrc: Permission denied" (hit live on f1-stream repo 10, an old-era
+# registration that carried trusted=true; tripit 167 is untrusted and works).
+if [ "$DRY_RUN" = 0 ]; then
+  run WP -X PATCH "$WP_API/repos/$WP_REPO_ID" \
+    -d '{"trusted":{"network":false,"volumes":false,"security":false}}' >/dev/null \
+    && log "Woodpecker repo settings normalized (untrusted)"
+fi
+
 # --- 5) Render workflow + deploy files into the clone ---
 DEPLOY_CMDS=""
 for d in "${DEPLOYS[@]}"; do