fix(gateway): separate Forgejo token env #61

jwilger · 2026-05-03T15:06:55-07:00

jwilger commented

2026-05-03 15:06:55 -07:00

Summary

Make ar-gateway read the bot PAT from AR_FORGEJO_TOKEN instead of FORGEJO_TOKEN.
Update quickstart, deploy examples, Helm secret wiring, and threat-model docs for the gateway-specific token name.
Keep FORGEJO_TOKEN available for developer-local Forgejo tooling such as Kilo MCP/tea.

Validation

nix develop -c cargo test -p ar-gateway forgejo_api_token
nix develop -c cargo fmt --all -- --check
nix develop -c cargo clippy -p ar-gateway --all-targets -- -D warnings

## Summary - Make `ar-gateway` read the bot PAT from `AR_FORGEJO_TOKEN` instead of `FORGEJO_TOKEN`. - Update quickstart, deploy examples, Helm secret wiring, and threat-model docs for the gateway-specific token name. - Keep `FORGEJO_TOKEN` available for developer-local Forgejo tooling such as Kilo MCP/tea. ## Validation - `nix develop -c cargo test -p ar-gateway forgejo_api_token` - `nix develop -c cargo fmt --all -- --check` - `nix develop -c cargo clippy -p ar-gateway --all-targets -- -D warnings`

jwilger added 1 commit

2026-05-03 15:06:55 -07:00

fix(gateway): separate Forgejo token env

auto_review auto_review: 1 warning

CI / Nix flake check (pull_request) Has been cancelled

Details

f6a0e1b3c2

auto-review requested changes

2026-05-03 15:07:06 -07:00

auto-review left a comment

This PR updates the ar-gateway to read the Forgejo API token from AR_FORGEJO_TOKEN instead of FORGEJO_TOKEN, allowing the latter to be used for developer-local tooling. The changes include updates to documentation, configuration files, and the main gateway code. The changes appear well-implemented and safe to merge.

Walkthrough

CHANGELOG.md: Updated to reflect the change in environment variable for the Forgejo token.
QUICKSTART.md: Instructions updated to use AR_FORGEJO_TOKEN for the gateway, while FORGEJO_TOKEN remains for developer use.
crates/ar-gateway/src/main.rs: Main logic updated to use AR_FORGEJO_TOKEN. Added a helper function forgejo_api_token_from_env_values to handle token retrieval.
deploy/docker-compose.yml: Environment variable updated to AR_FORGEJO_TOKEN.
deploy/helm/README.md and deploy/helm/templates/secret.yaml: Helm deployment instructions and templates updated to use the new token environment variable.
deploy/systemd/auto_review.env.example: Example environment file updated to reflect the new token variable.
docs/THREAT-MODEL.md: Documentation updated to reflect the change in token environment variable.

Pre-merge checks

CHANGELOG updated — CHANGELOG.md is in the diff
Tests touched — source changed but no test file appears in the diff
No new TODO/FIXME comments — no new TODO/FIXME markers

This PR updates the `ar-gateway` to read the Forgejo API token from `AR_FORGEJO_TOKEN` instead of `FORGEJO_TOKEN`, allowing the latter to be used for developer-local tooling. The changes include updates to documentation, configuration files, and the main gateway code. The changes appear well-implemented and safe to merge. ## Walkthrough - **CHANGELOG.md**: Updated to reflect the change in environment variable for the Forgejo token. - **QUICKSTART.md**: Instructions updated to use `AR_FORGEJO_TOKEN` for the gateway, while `FORGEJO_TOKEN` remains for developer use. - **crates/ar-gateway/src/main.rs**: Main logic updated to use `AR_FORGEJO_TOKEN`. Added a helper function `forgejo_api_token_from_env_values` to handle token retrieval. - **deploy/docker-compose.yml**: Environment variable updated to `AR_FORGEJO_TOKEN`. - **deploy/helm/README.md** and **deploy/helm/templates/secret.yaml**: Helm deployment instructions and templates updated to use the new token environment variable. - **deploy/systemd/auto_review.env.example**: Example environment file updated to reflect the new token variable. - **docs/THREAT-MODEL.md**: Documentation updated to reflect the change in token environment variable. ## Pre-merge checks - [x] CHANGELOG updated — CHANGELOG.md is in the diff - [ ] Tests touched — source changed but no test file appears in the diff - [x] No new TODO/FIXME comments — no new TODO/FIXME markers

crates/ar-gateway/src/main.rs Outdated

					
				@ -77,7 +77,7 @@ async fn main() -> Result<()> {

				        );

🟡 Warning: Ensure that the forgejo_api_token_from_env_values function correctly handles cases where AR_FORGEJO_TOKEN is not set, as this could lead to runtime errors if not properly managed.

🟡 **Warning:** Ensure that the `forgejo_api_token_from_env_values` function correctly handles cases where `AR_FORGEJO_TOKEN` is not set, as this could lead to runtime errors if not properly managed.

Addressed by adding crates/ar-gateway/tests/gateway_env.rs, an integration test that starts the gateway binary with WEBHOOK_SECRET and FORGEJO_BASE_URL set but AR_FORGEJO_TOKEN/FORGEJO_TOKEN removed. It asserts startup fails and the error names AR_FORGEJO_TOKEN, so the missing-token case is now covered in a dedicated test file.

Addressed by adding `crates/ar-gateway/tests/gateway_env.rs`, an integration test that starts the gateway binary with `WEBHOOK_SECRET` and `FORGEJO_BASE_URL` set but `AR_FORGEJO_TOKEN`/`FORGEJO_TOKEN` removed. It asserts startup fails and the error names `AR_FORGEJO_TOKEN`, so the missing-token case is now covered in a dedicated test file.

jwilger marked this conversation as resolved

jwilger added 1 commit

2026-05-03 15:09:32 -07:00

test(gateway): cover missing Forgejo token env

auto_review auto_review: 1 warning

CI / Nix flake check (pull_request) Successful in 1m54s

Details

8de8cd7f1b

auto-review approved these changes

2026-05-03 15:09:43 -07:00

auto-review left a comment

This PR updates the ar-gateway to use AR_FORGEJO_TOKEN for the Forgejo API token, separating it from FORGEJO_TOKEN used for local tooling. The changes include updates to documentation, configuration files, and tests to reflect this new environment variable. The changes appear well-implemented and safe to merge.

Walkthrough

CHANGELOG.md: Updated to reflect the change in environment variable for the gateway's Forgejo token.
QUICKSTART.md: Instructions updated to use AR_FORGEJO_TOKEN instead of FORGEJO_TOKEN for the gateway.
crates/ar-gateway/src/main.rs: Main logic updated to read the Forgejo token from AR_FORGEJO_TOKEN.
crates/ar-gateway/tests/gateway_env.rs: New test added to ensure the gateway requires AR_FORGEJO_TOKEN to start.
deploy/docker-compose.yml: Environment variable updated to AR_FORGEJO_TOKEN.
deploy/helm/README.md: Helm deployment instructions updated to use AR_FORGEJO_TOKEN.
deploy/helm/templates/secret.yaml: Secret template updated to use AR_FORGEJO_TOKEN.
deploy/systemd/auto_review.env.example: Example environment file updated to use AR_FORGEJO_TOKEN.
docs/THREAT-MODEL.md: Documentation updated to reflect the change in token environment variable.

Pre-merge checks

CHANGELOG updated — CHANGELOG.md is in the diff
Tests touched — test changes are in the diff
No new TODO/FIXME comments — no new TODO/FIXME markers

This PR updates the `ar-gateway` to use `AR_FORGEJO_TOKEN` for the Forgejo API token, separating it from `FORGEJO_TOKEN` used for local tooling. The changes include updates to documentation, configuration files, and tests to reflect this new environment variable. The changes appear well-implemented and safe to merge. ## Walkthrough - **CHANGELOG.md**: Updated to reflect the change in environment variable for the gateway's Forgejo token. - **QUICKSTART.md**: Instructions updated to use `AR_FORGEJO_TOKEN` instead of `FORGEJO_TOKEN` for the gateway. - **crates/ar-gateway/src/main.rs**: Main logic updated to read the Forgejo token from `AR_FORGEJO_TOKEN`. - **crates/ar-gateway/tests/gateway_env.rs**: New test added to ensure the gateway requires `AR_FORGEJO_TOKEN` to start. - **deploy/docker-compose.yml**: Environment variable updated to `AR_FORGEJO_TOKEN`. - **deploy/helm/README.md**: Helm deployment instructions updated to use `AR_FORGEJO_TOKEN`. - **deploy/helm/templates/secret.yaml**: Secret template updated to use `AR_FORGEJO_TOKEN`. - **deploy/systemd/auto_review.env.example**: Example environment file updated to use `AR_FORGEJO_TOKEN`. - **docs/THREAT-MODEL.md**: Documentation updated to reflect the change in token environment variable. ## Pre-merge checks - [x] CHANGELOG updated — CHANGELOG.md is in the diff - [x] Tests touched — test changes are in the diff - [x] No new TODO/FIXME comments — no new TODO/FIXME markers

crates/ar-gateway/src/main.rs

🟡 Warning: Ensure that the forgejo_api_token_from_env_values function correctly handles cases where AR_FORGEJO_TOKEN is not set, as this is a critical change in how the token is retrieved.

🟡 **Warning:** Ensure that the `forgejo_api_token_from_env_values` function correctly handles cases where `AR_FORGEJO_TOKEN` is not set, as this is a critical change in how the token is retrieved.