fix(mirror): restrict main_only mode to main+tags (Ganymede review)

Finding #1 (recommendation, applied): infra-mode now pushes only main + tags to GitHub. Agent review branches (epimetheus/*, ganymede/*) stay Forgejo-only. Public GitHub history reflects merged work, not pre-review WIP with internal agent context. Bidirectional mode unchanged — codex still mirrors all branches so external contributors can fork from any branch. Nit #4: setup script m3taversal username has a comment explaining it's a placeholder for fine-grained PAT auth, mirrors the existing teleo-codex remote. Two pre-existing nits filed for follow-up branch: - hardcoded `living-ip:` in GH_PR_NUM head filter (line 273) - spurious CRITICAL log on GH→forgejo→GH cycles (re-fetch forgejo after Step 2.5) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 22:54:18 +01:00 · 2026-04-27 22:54:18 +01:00 · b9c4947637
commit b9c4947637
parent bf647b7abb
2 changed files with 25 additions and 9 deletions
--- a/deploy/setup-infra-mirror.sh
+++ b/deploy/setup-infra-mirror.sh
@ -72,6 +72,9 @@ cd "$REPO_DIR"
 # Forgejo remote (origin convention is reversed in this codebase: origin=GitHub,
 # forgejo=Forgejo, matching the existing teleo-codex.git layout).
 FORGEJO_REMOTE_URL="http://github-mirror:${FORGEJO_TOKEN}@localhost:3000/teleo/teleo-infrastructure.git"
+# NOTE: "m3taversal" is a placeholder username — for fine-grained PATs the
+# username field is decorative; the token does the auth. Matches the existing
+# teleo-codex.git remote for consistency. (Ganymede review nit #4.)
 GITHUB_REMOTE_URL="https://m3taversal:${GITHUB_PAT}@github.com/${GITHUB_REPO}.git"

 if git remote get-url forgejo >/dev/null 2>&1; then
--- a/deploy/sync-mirror.sh
+++ b/deploy/sync-mirror.sh
@ -149,16 +149,29 @@ for pr in prs:
        fi
    fi

-    if [ "$PUSH_MAIN" = true ]; then
-        git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed"
+    if [ "$MODE" = "main_only" ]; then
+        # Infra-style mirror: push main + tags ONLY. Pre-review agent branches
+        # (epimetheus/*, ganymede/*, etc.) carry internal context — agent UUIDs,
+        # in-flight discussion, WIP — and must not land in the public GitHub
+        # history. (Ganymede review, finding #1.)
+        if [ "$PUSH_MAIN" = true ]; then
+            git push origin --force "refs/heads/main:refs/heads/main" >> "$LOG" 2>&1 || \
+                log "WARN: main push to GitHub failed"
+        fi
    else
-        # Push all branches except main
-        while read branch; do
-            [ "$branch" = "main" ] && continue
-            [ "$branch" = "HEAD" ] && continue
-            git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \
-                log "WARN: Failed to push $branch to GitHub"
-        done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/)
+        # Bidirectional mirror (codex): push all branches so external
+        # contributors can fork from any branch, not just main.
+        if [ "$PUSH_MAIN" = true ]; then
+            git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed"
+        else
+            # Push all branches except main when main is divergent
+            while read branch; do
+                [ "$branch" = "main" ] && continue
+                [ "$branch" = "HEAD" ] && continue
+                git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \
+                    log "WARN: Failed to push $branch to GitHub"
+            done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/)
+        fi
    fi
    git push origin --tags --force >> "$LOG" 2>&1 || log "WARN: Tag push to GitHub failed"