From 701b73bf539913e8f674c2c8ede7c5e5c98575ab Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 21 May 2026 09:12:20 +0000
Subject: [PATCH] forgejo: disable source archive ZIP/TAR downloads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bot crawlers were hitting /<owner>/<repo>/archive/<sha>.zip on the
dot_files repo (vim-plugin source trees) — each request synthesised a
fresh ZIP from git history, taking 9.9s and returning 500 under
sustained load. Cost: ~440m sustained forgejo CPU.

Toggle: FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES=true.
/archive/* URLs now 404; git clone / OCI registry / API unaffected.

Measured: forgejo pod 440-573m -> 60m steady-state (~85% drop).

(Pod rollout took ~7min on the new RS due to kubelet's recursive
chown of the 2700+ files in the data PVC — fsGroupChangePolicy is
unset and defaults to Always; could be set to OnRootMismatch later.)
---
 stacks/forgejo/main.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf
index 6a6ef3f9..fe5db970 100644
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@@ -141,6 +141,16 @@ resource "kubernetes_deployment" "forgejo" {
             name  = "FORGEJO__packages__ENABLED"
             value = "true"
           }
+          # Disable source archive ZIP/TAR generation. Bots crawling
+          # /<owner>/<repo>/archive/<sha>.zip on dot_files (and similar
+          # vim-plugin trees) caused 9.9s 500s and chewed ~440m sustained
+          # CPU. Git clone / OCI registry / API are unaffected — only
+          # /archive/* URLs return 404 now. Toggle back to "false" if a
+          # legitimate consumer needs source ZIPs.
+          env {
+            name  = "FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES"
+            value = "true"
+          }
           volume_mount {
             name       = "data"
             mount_path = "/data"