Forgejo → GitHub private activity sync

This service receives Forgejo push webhooks and writes metadata-only commits (--allow-empty) to a private GitHub repository.

1) Repo contents

• app/webhook.py — webhook receiver
• Dockerfile — container image
• k8s/app.yaml — ConfigMap, Deployment, Service, Ingress
• k8s/certificate.yaml — cert-manager Certificate for TLS
• scripts/trigger-webhook-test.sh — local webhook test helper

2) Non-secret values (edit manifests once)

Set these directly in manifests, not in secrets.env:

• k8s/app.yaml
  • metadata.namespace
  • data.ACTIVITY_REPO
  • data.BRANCH
  • data.AUTHOR_NAME
  • spec.template.spec.containers[0].image
  • ingress host rules (forgejo-activity.i.psilva.org / your host)
• k8s/certificate.yaml
  • metadata.namespace
  • spec.commonName
  • spec.dnsNames
• Forgejo server/ingress/service config is managed in bootstrap Terraform:
  • bootstrap/terraform/terraform.tfvars (forgejo_values)

3) Secret values

k8s/secrets.env should only have real secrets:

WEBHOOK_SECRET=a-random-long-secret
AUTHOR_EMAIL=you@example.com
GIT_DEPLOY_KEY_PATH=$HOME/.ssh/id_ed25519

To avoid committing plaintext secrets, this repo uses git-crypt to encrypt k8s/secrets.env.

Enable git-crypt (one-time)

# init repo crypt config
git-crypt init

# add your GPG key as trusted collaborator
git-crypt add-gpg-user "you@example.com"

git-crypt will:

• create .gitattributes (already includes k8s/secrets.env)
• create/update .git-crypt/keys

On a fresh clone (or after CI key rotation)

git-crypt unlock

When your key is configured, k8s/secrets.env will be transparently decrypted after unlock.

4) Deploy (GitOps / CI-only)

Keep the whole flow in Git and CI:

1. Set secret in CI:
   • K8S_KUBECONFIG_B64 (base64 kubeconfig)
2. Commit argocd/application.yaml and k8s/* updates.
3. Trigger:
   • .forgejo/workflows/argo-bootstrap-application.yaml by workflow_dispatch, or
   • Any change under argocd/application.yaml to (re)bootstrap the ArgoCD Application object.

After bootstrap, ArgoCD auto-sync keeps runtime resources reconciled from k8s/.

4b) Deploy with Argo CD (recommended)

Keep argocd/application.yaml as the source of truth and let ArgoCD sync automatically.

CI now has two workflows:

• build-and-push-image builds and pushes image tags.
• build-and-push-image now also runs a second job to update k8s/app.yaml with the new image tag after a successful push build on master, so ArgoCD auto-sync can roll out the update.
• argo-bootstrap-application bootstraps or refreshes the ArgoCD Application object from Git.

Argo CD auto-syncs k8s/ on the repo, so this commit will trigger rollout without manual kubectl apply.

5) Redeploy

Redeploy through standard git flow (no manual kubectl needed):

1. Update k8s/app.yaml (or other files under k8s/) in git.
2. Push to master.
3. ArgoCD app auto-sync applies changes.

6) Wire Forgejo webhook

In Forgejo repo settings:

• URL: https://YOUR_HOST/forgejo (same host you set in k8s/app.yaml ingress)
• Method: POST
• Content type: application/json
• Secret: value of WEBHOOK_SECRET
• Events: Push

7) Send test event

./scripts/trigger-webhook-test.sh

Optional overrides:

• HOST (default forgejo-activity.i.psilva.org)
• NAMESPACE (default forgejo)
• INGRESS_NAME (default forgejo-activity-sync)
• PAYLOAD (default test body)

Notes

• Only metadata-only commits are created.
• Keep one-way sync from Forgejo to GitHub to avoid branch conflicts.
• Enable Include private contributions in your GitHub profile if you want the activity to show.