From 910d58920549c7baca211182c73cd40600145406 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 20 Jun 2026 08:08:50 +0000
Subject: [PATCH] fix(forgejo): raise git-op timeouts + lower gc.auto to stop
 push-mirror timeouts

The tripit Forgejo->GitHub push-mirror silently stalled: `git cat-file
--batch-all-objects` over the NFS-backed repo exceeded the default git deadline
once ~4500 loose objects accumulated (gc.auto's 6700 threshold hadn't fired), so
pushes stopped reaching GitHub and prod deploys stalled. Raise [git.timeout]
(DEFAULT/MIRROR/GC) so a slow object enumeration can't abort the mirror, and set
[git.config] gc.auto=1000 so post-push autogc + the git_gc_repos cron keep repos
packed (the real fix). A one-off forced gc already unblocked tripit; this prevents
recurrence across all repos.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/forgejo/main.tf | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf
index 6baea2d0..fd70edd2 100644
--- a/stacks/forgejo/main.tf
+++ b/stacks/forgejo/main.tf
@@ -205,6 +205,34 @@ resource "kubernetes_deployment" "forgejo" {
             name  = "FORGEJO__repository__DISABLE_DOWNLOAD_SOURCE_ARCHIVES"
             value = "true"
           }
+          # --- Mirror / git-op resilience (2026-06-19 incident). The tripit
+          # push-mirror to GitHub silently stopped: `git cat-file --batch-all-objects`
+          # over the NFS-backed repo blew the default git-op deadline (~360s) once
+          # loose objects piled up (~4500). Forgejo's git_gc_repos cron only runs
+          # `gc --auto`, whose 6700-loose threshold hadn't fired, so the repo stayed
+          # unpacked and enumeration kept slowing until the mirror aborted with
+          # "context deadline exceeded". Two-part durable fix:
+          #   1) raise git-op timeouts so a slow enumeration never aborts a
+          #      mirror/gc ([git.timeout], seconds);
+          #   2) lower gc.auto so post-push autogc + the cron keep repos PACKED —
+          #      the real fix ([git.config] gc.auto).
+          # Dotted section/key names use the _0X2E_ env-to-ini escape.
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__DEFAULT"
+            value = "3600"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__MIRROR"
+            value = "3600"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_timeout__GC"
+            value = "1800"
+          }
+          env {
+            name  = "FORGEJO__git_0X2E_config__gc_0X2E_auto"
+            value = "1000"
+          }
           # --- Open-signup bot prevention + mailer (appended so the diff vs the
           # pre-signup deployment stays purely additive). ---
           # Cloudflare Turnstile captcha on the registration form (widget