ci: switch SDK to git dep, inject MODULE_SDK_PAT via insteadOf
All checks were successful
CI / Linux x86_64 (Forgejo) (push) Successful in 3m7s

Two prior approaches failed:

1. Sibling-clone of module-sdk into a directory two levels up
   from $GITHUB_WORKSPACE failed with a 2-second runner failure
   (bisect confirmed: workflow with ONLY the own-repo checkout
   succeeded; adding the sibling-clone step reproduced the
   failure).

2. Anonymous clone of the now-public module-sdk also failed —
   the Forgejo instance has REQUIRE_SIGNIN_VIEW=true, so making
   a repo public does not enable anonymous read.

The working approach: switch fai-module-sdk to a git dependency
in Cargo.toml and inject a stored Forgejo PAT into any outgoing
git.flemming.ws URL via 'git config url.X.insteadOf Y'. Cargo's
git fetch (driven by CARGO_NET_GIT_FETCH_WITH_CLI=true) then
authenticates transparently.

The Forgejo Actions secret MODULE_SDK_PAT carries the read token.
Locally, the same insteadOf trick works via GIT_CONFIG_COUNT
without polluting the global git config.

Bumps text-extract 0.1.4 -> 0.1.5.

Signed-off-by: flemming-it <sf@flemming.it>
This commit is contained in:
flemming-it 2026-05-02 07:33:32 +02:00
parent 44612641b0
commit 1078367d6a
3 changed files with 62 additions and 16 deletions

View file

@ -8,12 +8,17 @@ on:
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
RUST_TOOLCHAIN: "1.86"
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
jobs:
ci:
name: Linux x86_64 (Forgejo)
runs-on: ubuntu-latest
steps:
# Manual external-URL checkout — see fai/platform CI for
# background. Lays this repo at $GITHUB_WORKSPACE.
- name: Checkout text-extract via external URL
run: |
set -eu
@ -24,18 +29,57 @@ jobs:
"https://x-access-token:${GITHUB_TOKEN}@git.flemming.ws/${GITHUB_REPOSITORY}.git"
git fetch --depth=1 origin "$GITHUB_SHA"
git checkout -q FETCH_HEAD
echo "checkout: ok, ls = $(ls)"
- name: Checkout fai/module-sdk into sibling layout
# The fai-module-sdk dependency is a git dep against a repo
# that lives in another Forgejo org. The repo-scoped
# GITHUB_TOKEN cannot read it, and the Forgejo instance has
# REQUIRE_SIGNIN_VIEW=true so anonymous read is also denied.
# MODULE_SDK_PAT is a stored secret with read access to
# fai/module-sdk; we inject it into any outgoing
# https://git.flemming.ws/ URL via insteadOf so cargo's git
# fetch (driven by CARGO_NET_GIT_FETCH_WITH_CLI) authenticates
# transparently.
- name: Configure git URL rewrite for SDK fetch
env:
SDK_PAT: ${{ secrets.MODULE_SDK_PAT }}
run: |
set -eu
parent="$(dirname "$GITHUB_WORKSPACE")"
grandparent="$(dirname "$parent")"
sdk_dir="$grandparent/module_sdk"
mkdir -p "$sdk_dir"
cd "$sdk_dir"
git init -q
git remote add origin "https://git.flemming.ws/fai/module-sdk.git"
git fetch --depth=1 origin main
git checkout -q FETCH_HEAD
echo "module-sdk: ok, ls = $(ls)"
git config --global \
"url.https://x-access-token:${SDK_PAT}@git.flemming.ws/.insteadOf" \
"https://git.flemming.ws/"
- name: Install system dependencies
run: |
apt-get update -qq
apt-get install -y --no-install-recommends \
curl \
ca-certificates \
build-essential \
pkg-config \
libssl-dev \
git
- name: Install Rust toolchain
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
| sh -s -- -y \
--profile minimal \
--default-toolchain "$RUST_TOOLCHAIN" \
--target wasm32-wasip2 \
--component rustfmt \
--component clippy
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
- name: Cargo fmt --check
run: cargo fmt --all -- --check
- name: Cargo clippy
run: cargo clippy --all-targets -- -D warnings
- name: Cargo build (host)
run: cargo build --all-targets
- name: Cargo test (host)
run: cargo test --all-targets
- name: Cargo build (wasm32-wasip2)
run: cargo build --release --target wasm32-wasip2