From b9c494763762844aae4145e4c4d2d54d3fc9db2f Mon Sep 17 00:00:00 2001 From: m3taversal Date: Mon, 27 Apr 2026 22:54:18 +0100 Subject: [PATCH] fix(mirror): restrict main_only mode to main+tags (Ganymede review) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Finding #1 (recommendation, applied): infra-mode now pushes only main + tags to GitHub. Agent review branches (epimetheus/*, ganymede/*) stay Forgejo-only. Public GitHub history reflects merged work, not pre-review WIP with internal agent context. Bidirectional mode unchanged — codex still mirrors all branches so external contributors can fork from any branch. Nit #4: setup script m3taversal username has a comment explaining it's a placeholder for fine-grained PAT auth, mirrors the existing teleo-codex remote. Two pre-existing nits filed for follow-up branch: - hardcoded `living-ip:` in GH_PR_NUM head filter (line 273) - spurious CRITICAL log on GH→forgejo→GH cycles (re-fetch forgejo after Step 2.5) Co-Authored-By: Claude Opus 4.7 (1M context) --- deploy/setup-infra-mirror.sh | 3 +++ deploy/sync-mirror.sh | 31 ++++++++++++++++++++++--------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/deploy/setup-infra-mirror.sh b/deploy/setup-infra-mirror.sh index 1fcdf80..a304e7a 100755 --- a/deploy/setup-infra-mirror.sh +++ b/deploy/setup-infra-mirror.sh @@ -72,6 +72,9 @@ cd "$REPO_DIR" # Forgejo remote (origin convention is reversed in this codebase: origin=GitHub, # forgejo=Forgejo, matching the existing teleo-codex.git layout). FORGEJO_REMOTE_URL="http://github-mirror:${FORGEJO_TOKEN}@localhost:3000/teleo/teleo-infrastructure.git" +# NOTE: "m3taversal" is a placeholder username — for fine-grained PATs the +# username field is decorative; the token does the auth. Matches the existing +# teleo-codex.git remote for consistency. (Ganymede review nit #4.) GITHUB_REMOTE_URL="https://m3taversal:${GITHUB_PAT}@github.com/${GITHUB_REPO}.git" if git remote get-url forgejo >/dev/null 2>&1; then diff --git a/deploy/sync-mirror.sh b/deploy/sync-mirror.sh index 6d446c4..bd04e98 100755 --- a/deploy/sync-mirror.sh +++ b/deploy/sync-mirror.sh @@ -149,16 +149,29 @@ for pr in prs: fi fi - if [ "$PUSH_MAIN" = true ]; then - git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed" + if [ "$MODE" = "main_only" ]; then + # Infra-style mirror: push main + tags ONLY. Pre-review agent branches + # (epimetheus/*, ganymede/*, etc.) carry internal context — agent UUIDs, + # in-flight discussion, WIP — and must not land in the public GitHub + # history. (Ganymede review, finding #1.) + if [ "$PUSH_MAIN" = true ]; then + git push origin --force "refs/heads/main:refs/heads/main" >> "$LOG" 2>&1 || \ + log "WARN: main push to GitHub failed" + fi else - # Push all branches except main - while read branch; do - [ "$branch" = "main" ] && continue - [ "$branch" = "HEAD" ] && continue - git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \ - log "WARN: Failed to push $branch to GitHub" - done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/) + # Bidirectional mirror (codex): push all branches so external + # contributors can fork from any branch, not just main. + if [ "$PUSH_MAIN" = true ]; then + git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed" + else + # Push all branches except main when main is divergent + while read branch; do + [ "$branch" = "main" ] && continue + [ "$branch" = "HEAD" ] && continue + git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \ + log "WARN: Failed to push $branch to GitHub" + done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/) + fi fi git push origin --tags --force >> "$LOG" 2>&1 || log "WARN: Tag push to GitHub failed"