forgejo: disable source archive ZIP/TAR downloads

Bot crawlers were hitting /<owner>/<repo>/archive/<sha>.zip on the dot_files repo (vim-plugin source trees) — each request synthesised a fresh ZIP from git history, taking 9.9s and returning 500 under sustained load. Cost: ~440m sustained forgejo CPU. Toggle: FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES=true. /archive/* URLs now 404; git clone / OCI registry / API unaffected. Measured: forgejo pod 440-573m -> 60m steady-state (~85% drop). (Pod rollout took ~7min on the new RS due to kubelet's recursive chown of the 2700+ files in the data PVC — fsGroupChangePolicy is unset and defaults to Always; could be set to OnRootMismatch later.)
2026-05-21 09:12:20 +00:00 · 2026-05-21 09:12:20 +00:00 · 701b73bf53
commit 701b73bf53
parent b92e1166a8
1 changed files with 10 additions and 0 deletions
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@ -141,6 +141,16 @@ resource "kubernetes_deployment" "forgejo" {
            name  = "FORGEJO__packages__ENABLED"
            value = "true"
          }
+          # Disable source archive ZIP/TAR generation. Bots crawling
+          # /<owner>/<repo>/archive/<sha>.zip on dot_files (and similar
+          # vim-plugin trees) caused 9.9s 500s and chewed ~440m sustained
+          # CPU. Git clone / OCI registry / API are unaffected — only
+          # /archive/* URLs return 404 now. Toggle back to "false" if a
+          # legitimate consumer needs source ZIPs.
+          env {
+            name  = "FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES"
+            value = "true"
+          }
          volume_mount {
            name       = "data"
            mount_path = "/data"