forgejo-workflows

Public sub-repo holding reusable Forgejo Actions workflows for the homelab.

fragmented-homelab (the provisioner repo) stays private; only reusable workflows are published here so caller workflows in private orgs can resolve them via the Forgejo runner's per-job auto-token.

Why this lives here

Forgejo's workflow loader fetches reusable workflows using the per-job auto-token, which is scoped to the caller's repo. That token cannot read a private repo in another org — Forgejo returns 404 and the runner reports expanding reusable workflow failed to access user X: user does not exist. The fix is to publish reusable workflows from a public sub-repo while keeping the rest of the homelab tree private.

Contents

• .forgejo/workflows/trigger-watchtower.yml — POSTs to the homelab's Watchtower HTTP API to redeploy containers carrying the homelab scope label.

Usage

In any caller workflow on the same Forgejo instance whose org has WATCHTOWER_URL + WATCHTOWER_TOKEN org-level secrets set (the fragmented-homelab provisioner's 05-post-forgejo.sh writes these):

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - ...

  trigger-watchtower:
    uses: watchtower/forgejo-workflows/.forgejo/workflows/trigger-watchtower.yml@mainline
    secrets: inherit
    needs: build-and-push

Bootstrap

This local directory mirrors the public Forgejo repo at https://code.nullfragment.dev/watchtower/forgejo-workflows (visibility: public). To push it for the first time:

cd /Users/ksalitrik/workplace/watchtower/forgejo-workflows
git init -b mainline
git add .
git commit -m "Initial: trigger-watchtower reusable workflow"
git remote add origin https://code.nullfragment.dev/watchtower/forgejo-workflows.git
git push -u origin mainline

(Create the empty repo in the Forgejo UI first with visibility = Public before pushing.)