shad0w/pelagia-portal
1
0
Fork 0
Code Issues 6 Pull requests 1 Projects Releases 2 Packages Wiki Activity Actions

fix(deploy): don't inject CI runner token into ppms #43

Merged
shad0w merged 1 commit from fix/deploy-no-update-env into master 2026-06-20 18:29:08 +00:00
Conversation 0 Commits 1 Files changed 1 +7 -1
shad0w commented 2026-06-20 18:27:09 +00:00
Owner
Copy link

Fixes the prod Report Issue 401 ("user does not exist [uid: 0]").

Cause: the deploy job runs inside the Forgejo Actions runner, which sets an ephemeral FORGEJO_TOKEN (per-job token). pm2 restart ppms --update-env injected it into the app process; Next.js won't override an already-set process.env var, so the app used the job token instead of the PAT in .env. When the job ended, that token was revoked -> 401.

Fix: drop --update-env so ppms re-execs from the pm2 daemon's clean env and reads the real token from .env.

Prod was already hot-fixed (clean pm2 restart + pm2 save); this makes future tag deploys safe. Automation/CI only.

Fixes the prod Report Issue 401 ("user does not exist [uid: 0]"). **Cause:** the deploy job runs inside the Forgejo Actions runner, which sets an ephemeral `FORGEJO_TOKEN` (per-job token). `pm2 restart ppms --update-env` injected it into the app process; Next.js won't override an already-set `process.env` var, so the app used the job token instead of the PAT in `.env`. When the job ended, that token was revoked -> 401. **Fix:** drop `--update-env` so ppms re-execs from the pm2 daemon's clean env and reads the real token from `.env`. Prod was already hot-fixed (clean `pm2` restart + `pm2 save`); this makes future tag deploys safe. Automation/CI only.
shad0w added 1 commit 2026-06-20 18:27:09 +00:00
fix(deploy): don't inject the CI runner token into ppms (drop --update-env)
All checks were successful
PR checks / checks (pull_request) Successful in 31s
Details
2d6681014d 
The deploy job runs inside the Forgejo Actions runner, whose env includes an
ephemeral FORGEJO_TOKEN (per-job token, revoked when the job ends). 'pm2 restart
--update-env' injected it into ppms, where it shadowed the real PAT in .env
(Next.js won't override an already-set process.env var) — so the Report Issue
button 401'd once the job token expired. Plain restart keeps the daemon's clean env.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
shad0w merged commit 5bb3549142 into master 2026-06-20 18:29:08 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is broken

  
claude-failed

Automated fix attempt failed

  
claude-pr

Claude opened a PR for this

  
claude-queue

Queued for automated Claude fix

  
claude-working

Claude is working on this

  
feature

New functionality

  
interactive

Run with Claude interactively/steered � not safe for the unattended watcher

  
portal

Reported via portal Report Issue button

  
triaged

Triage has run on this portal issue (prevents re-triage)

No labels
bug
claude-failed
claude-pr
claude-queue
claude-working
feature
interactive
portal
triaged
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: shad0w/pelagia-portal#43
No description provided.
Delete branch "fix/deploy-no-update-env"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?