From dcb465a7e58a5c66b1e9d82f8a2a74d8580c25d0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Tue, 24 Feb 2026 23:02:33 +0000
Subject: [PATCH] [ci skip] Fix Woodpecker GitHub forge: add explicit
 GITHUB_URL to prevent Forgejo URL bleed

When both WOODPECKER_GITHUB and WOODPECKER_FORGEJO are enabled without
an explicit WOODPECKER_GITHUB_URL, the GitHub forge inherits the Forgejo
URL causing all GitHub API calls to hit forgejo.viktorbarzin.me with
GitHub OAuth credentials, resulting in 401 Unauthorized on repo add and
cron jobs. Also adds Forgejo forge variables to Terraform.
---
 stacks/woodpecker/main.tf     | 16 +++++++++++-----
 stacks/woodpecker/values.yaml |  5 +++++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf
index 90432b22..b0b58876 100644
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@@ -6,6 +6,9 @@ variable "woodpecker_db_password" { type = string }
 variable "dbaas_postgresql_root_password" { type = string }
 variable "nfs_server" { type = string }
 variable "postgresql_host" { type = string }
+variable "woodpecker_forgejo_client_id" { type = string }
+variable "woodpecker_forgejo_client_secret" { type = string }
+variable "woodpecker_forgejo_url" { type = string }
 
 
 resource "kubernetes_namespace" "woodpecker" {
@@ -122,11 +125,14 @@ resource "helm_release" "woodpecker" {
 
   values = [
     templatefile("${path.module}/values.yaml", {
-      github_client_id     = var.woodpecker_github_client_id
-      github_client_secret = var.woodpecker_github_client_secret
-      agent_secret         = var.woodpecker_agent_secret
-      db_password          = var.woodpecker_db_password
-      postgresql_host      = var.postgresql_host
+      github_client_id      = var.woodpecker_github_client_id
+      github_client_secret  = var.woodpecker_github_client_secret
+      agent_secret          = var.woodpecker_agent_secret
+      db_password           = var.woodpecker_db_password
+      postgresql_host       = var.postgresql_host
+      forgejo_client_id     = var.woodpecker_forgejo_client_id
+      forgejo_client_secret = var.woodpecker_forgejo_client_secret
+      forgejo_url           = var.woodpecker_forgejo_url
     })
   ]
 
diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml
index 21f7f948..a379d00c 100644
--- a/stacks/woodpecker/values.yaml
+++ b/stacks/woodpecker/values.yaml
@@ -11,6 +11,7 @@ server:
     WOODPECKER_ADMIN: "ViktorBarzin"
     WOODPECKER_OPEN: "false"
     WOODPECKER_GITHUB: "true"
+    WOODPECKER_GITHUB_URL: "https://github.com"
     WOODPECKER_GITHUB_CLIENT: "${github_client_id}"
     WOODPECKER_GITHUB_SECRET: "${github_client_secret}"
     WOODPECKER_AGENT_SECRET: "${agent_secret}"
@@ -19,6 +20,10 @@ server:
     WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker"
     WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine"
     WOODPECKER_LOG_LEVEL: "info"
+    WOODPECKER_FORGEJO: "true"
+    WOODPECKER_FORGEJO_CLIENT: "${forgejo_client_id}"
+    WOODPECKER_FORGEJO_SECRET: "${forgejo_client_secret}"
+    WOODPECKER_FORGEJO_URL: "${forgejo_url}"
   service:
     type: ClusterIP
     port: 80