fix(svc): forward FORGEJO_TOKEN to release-asset downloads (private repo support) #225

Merged

mik-tf merged 1 commit from development_mik_download_private_auth into development 2026-05-06 21:05:37 +00:00

Conversation 0 Commits 1 Files changed 1 +19 -6

mik-tf commented 2026-05-06 21:04:54 +00:00

Owner

Copy link

Adds an Authorization: token header to the two curl invocations in svc_resolve_release_tag and svc_download_asset, sourced from $env.FORGEJO_TOKEN when present. Public-repo behaviour is unchanged (empty header list when the token isn't set; Forgejo accepts public asset requests with or without the header).

Why

Surfaced by the hero_office v0.1.0-rc1 smoke on heroci (Bucket C item 4 of lhumina_code/home#212). hero_office is the only private non-archived repo in lhumina_code/, so its release assets 404 anonymously even though every other Hero stack repo (collab, agent, embedder, books, …) returns them publicly. The prior helper comment No auth needed — Forgejo release assets are world-readable was an unintended invariant.

Scope

• svc_forge_auth_args helper added: returns [] if no token, ["-H" "Authorization: token X"] if set.
• svc_resolve_release_tag and svc_download_asset splat ...$auth into their ^curl calls.
• Both error paths now hint private repos need FORGEJO_TOKEN in env.
• Comment on svc_release_asset_url updated.

No behaviour change for the 20 services on public repos (collab, agent, embedder, voice, editor, books, browser, slides, biz, foundry, whiteboard, matrixchat, hero_do, runner_rhai, proc, router, proxy, db, indexer, aibroker, osis). New behaviour for hero_office (and any future private repos).

Verification

Local (workstation, FORGEJO_TOKEN exported):

resolved tag: v0.1.0-rc1
downloaded ok: /tmp/hero_skills_dl.MaMIyr (4327880 bytes — matches published asset size exactly)

Heroci smoke (FORGEJO_TOKEN exported via SSH inline):

→ hero_office: fetching release v0.1.0-rc1 from lhumina_code/hero_office...
  ⤓ hero_office-x86_64-unknown-linux-musl
    ✓ /root/hero/bin/hero_office
  ⤓ hero_office_server-x86_64-unknown-linux-musl
    ✓ /root/hero/bin/hero_office_server
  ⤓ hero_office_ui-x86_64-unknown-linux-musl
    ✓ /root/hero/bin/hero_office_ui
  ✓ hero_office installed from CI artifacts (release v0.1.0-rc1)

All 3 binaries: ELF 64-bit LSB pie executable, static-pie linked, stripped.

Operator note

For private repos, the operator must source ~/hero/cfg/env/env.sh (or otherwise export FORGEJO_TOKEN) before running service <name> install --download. Heroci does not currently have FORGEJO_TOKEN in any login script — out of scope for this PR; will be follow-up bookkeeping if/when more private repos are added.

Adds an `Authorization: token` header to the two curl invocations in `svc_resolve_release_tag` and `svc_download_asset`, sourced from `$env.FORGEJO_TOKEN` when present. Public-repo behaviour is unchanged (empty header list when the token isn't set; Forgejo accepts public asset requests with or without the header). ## Why Surfaced by the hero_office v0.1.0-rc1 smoke on heroci (Bucket C item 4 of https://forge.ourworld.tf/lhumina_code/home/issues/212). `hero_office` is the **only private non-archived repo** in `lhumina_code/`, so its release assets 404 anonymously even though every other Hero stack repo (collab, agent, embedder, books, …) returns them publicly. The prior helper comment `No auth needed — Forgejo release assets are world-readable` was an unintended invariant. ## Scope - `svc_forge_auth_args` helper added: returns `[]` if no token, `["-H" "Authorization: token X"]` if set. - `svc_resolve_release_tag` and `svc_download_asset` splat `...$auth` into their `^curl` calls. - Both error paths now hint `private repos need FORGEJO_TOKEN in env`. - Comment on `svc_release_asset_url` updated. No behaviour change for the 20 services on public repos (collab, agent, embedder, voice, editor, books, browser, slides, biz, foundry, whiteboard, matrixchat, hero_do, runner_rhai, proc, router, proxy, db, indexer, aibroker, osis). New behaviour for hero_office (and any future private repos). ## Verification Local (workstation, FORGEJO_TOKEN exported): ``` resolved tag: v0.1.0-rc1 downloaded ok: /tmp/hero_skills_dl.MaMIyr (4327880 bytes — matches published asset size exactly) ``` Heroci smoke (FORGEJO_TOKEN exported via SSH inline): ``` → hero_office: fetching release v0.1.0-rc1 from lhumina_code/hero_office... ⤓ hero_office-x86_64-unknown-linux-musl ✓ /root/hero/bin/hero_office ⤓ hero_office_server-x86_64-unknown-linux-musl ✓ /root/hero/bin/hero_office_server ⤓ hero_office_ui-x86_64-unknown-linux-musl ✓ /root/hero/bin/hero_office_ui ✓ hero_office installed from CI artifacts (release v0.1.0-rc1) ``` All 3 binaries: ELF 64-bit LSB pie executable, static-pie linked, stripped. ## Operator note For private repos, the operator must `source ~/hero/cfg/env/env.sh` (or otherwise export FORGEJO_TOKEN) before running `service <name> install --download`. Heroci does not currently have FORGEJO_TOKEN in any login script — out of scope for this PR; will be follow-up bookkeeping if/when more private repos are added.

mik-tf added 1 commit 2026-05-06 21:04:54 +00:00

fix(svc): forward FORGEJO_TOKEN to release-asset downloads (private repo support) ... 480653b1ed

Adds an Authorization header to the two curl invocations in
svc_resolve_release_tag and svc_download_asset, sourced from
$env.FORGEJO_TOKEN when present. Public-repo behaviour is unchanged
(empty header list when the token isn't set; Forgejo accepts public
asset requests with or without the header).

Surfaced by the hero_office v0.1.0-rc1 smoke on heroci: hero_office
is the only private non-archived repo in lhumina_code/, so its
release assets 404 anonymously even though every other Hero stack
repo (collab, agent, embedder, books, …) returns them publicly. The
prior helper comment 'No auth needed — Forgejo release assets are
world-readable' was an unintended invariant. Updated the comment to
note the private-repo case.

Both error paths now hint 'private repos need FORGEJO_TOKEN in env'
so the next operator hits a clear message instead of a bare
'curl exit 22 / 404'.

Verified locally with FORGEJO_TOKEN exported: latest tag resolves,
asset bytes downloaded match the published 4327880-byte
hero_office-x86_64-unknown-linux-musl size exactly.

Signed-off-by: mik-tf
Signed-off-by: mik-tf <logismos@protonmail.ch>

mik-tf merged commit c28ba16e23 into development 2026-05-06 21:05:37 +00:00

mik-tf referenced this pull request from a commit 2026-05-06 21:05:38 +00:00

fix(svc): forward FORGEJO_TOKEN to release-asset downloads (private repo support) (#225)

mik-tf referenced this pull request from lhumina_code/home 2026-05-06 21:10:26 +00:00

[refactor] hero_skills consumers (lib.nu + service_*.nu) should read secrets from hero_proc, not $env #222

mik-tf referenced this pull request from lhumina_code/hero_demo 2026-05-06 21:42:24 +00:00

[vision] Hero OS as an ambient AI desktop — sovereign, voice-native, multi-context #52

mik-tf referenced this pull request from lhumina_code/home 2026-05-06 21:43:11 +00:00

story: CI builds all binaries & naming convention used #212

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_skills!225

No description provided.