eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 65 Packages Wiki Activity Actions

Add authenticated GitHub PAT for Forgejo mirror sync #269

Merged
eblume merged 2 commits from feature/mirror-github-pat into main 2026-02-25 20:20:24 -08:00
Conversation 1 Commits 2 Files changed 7 +234 -2
eblume commented 2026-02-25 20:11:42 -08:00
Owner
Copy link

Summary

  • mirror-create: Auto-includes GitHub PAT from 1Password for authenticated upstream fetches at mirror creation time
  • mirror-update-pats: New mise task that SSHes into indri and rewrites the git remote URL in every GitHub mirror's bare repo config to embed the PAT. Idempotent, supports --dry-run
  • app.ini.j2: Explicit [mirror] section with DEFAULT_INTERVAL = 8h and MIN_INTERVAL = 10m (bakes in the defaults for visibility)
  • manage-forgejo-mirrors: New how-to doc covering mirror creation, PAT storage, the mirror-update-pats task, and the full 20-day PAT rotation procedure

Context

GitHub tightened unauthenticated rate limits for git clone/fetch in May 2025. With 23 GitHub mirrors syncing every 8 hours, authenticated fetches avoid throttling. The PAT is stored in 1Password (Forgejo Secretsgithub-mirror-pat) and has been applied to all existing mirrors.

Deployment and Testing

  • mirror-update-pats dry-run verified (23 mirrors detected)
  • mirror-update-pats applied to all 23 GitHub mirrors on indri
  • Idempotency confirmed (re-run shows 0 updated, 23 skipped)
  • Provision indri with --tags forgejo to apply [mirror] config
  • Trigger a manual mirror sync and verify success in Forgejo UI
## Summary - **mirror-create**: Auto-includes GitHub PAT from 1Password for authenticated upstream fetches at mirror creation time - **mirror-update-pats**: New mise task that SSHes into indri and rewrites the git remote URL in every GitHub mirror's bare repo config to embed the PAT. Idempotent, supports `--dry-run` - **app.ini.j2**: Explicit `[mirror]` section with `DEFAULT_INTERVAL = 8h` and `MIN_INTERVAL = 10m` (bakes in the defaults for visibility) - **manage-forgejo-mirrors**: New how-to doc covering mirror creation, PAT storage, the `mirror-update-pats` task, and the full 20-day PAT rotation procedure ## Context GitHub tightened unauthenticated rate limits for git clone/fetch in May 2025. With 23 GitHub mirrors syncing every 8 hours, authenticated fetches avoid throttling. The PAT is stored in 1Password (`Forgejo Secrets` → `github-mirror-pat`) and has been applied to all existing mirrors. ## Deployment and Testing - [x] `mirror-update-pats` dry-run verified (23 mirrors detected) - [x] `mirror-update-pats` applied to all 23 GitHub mirrors on indri - [x] Idempotency confirmed (re-run shows 0 updated, 23 skipped) - [ ] Provision indri with `--tags forgejo` to apply `[mirror]` config - [ ] Trigger a manual mirror sync and verify success in Forgejo UI
GitHub tightened unauthenticated rate limits in May 2025. Add a
GitHub fine-grained PAT (stored in 1Password) to all mirror fetches:

- mirror-create: auto-includes PAT for GitHub upstreams at creation
- mirror-update-pats: new task to push PAT to all existing mirrors
  via SSH git config rewrite on indri
- app.ini.j2: explicit [mirror] section (8h default, 10m minimum)
- manage-forgejo-mirrors how-to: full PAT rotation procedure

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume reviewed 2026-02-25 20:18:07 -08:00
docs/how-to/configuration/manage-forgejo-mirrors.md Outdated
@ -0,0 +103,4 @@
- **Name:** `forgejo-mirror-sync` (or similar, include the date for tracking)
- **Expiration:** 30 days
- **Repository access:** Public repositories (read-only)
- **Permissions:** Contents → Read-only
eblume commented 2026-02-25 20:16:26 -08:00
Author
Owner
Copy link

Actually I just left the permissions empty. There was no "Contents" permission I could find. Is this correct?

Actually I just left the permissions empty. There was no "Contents" permission I could find. Is this correct?
eblume marked this conversation as resolved
mise-tasks/mirror-update-pats
@ -0,0 +1,69 @@
#!/usr/bin/env bash
eblume commented 2026-02-25 20:18:05 -08:00
Author
Owner
Copy link

I'm pretty sure there's a card somewhere that lists mise tasks, update that please

I'm pretty sure there's a card somewhere that lists mise tasks, update that please
eblume marked this conversation as resolved 
- Fine-grained PATs need no explicit permissions for public repo
  read-only access — correct the how-to doc
- Add mirror-update-pats to mise-tasks reference

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume merged commit 84338c32c2 into main 2026-02-25 20:20:24 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!269
No description provided.