From 9c2e671988f5be59949cddfb9a9f926f6a4b47a7 Mon Sep 17 00:00:00 2001
From: "every.channel" <founder@every.channel>
Date: Mon, 16 Feb 2026 01:41:35 -0500
Subject: [PATCH] ci: fetch private repo archive via API and run from .repo

---
 .forgejo/workflows/deploy-cloudflare.yml | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/.forgejo/workflows/deploy-cloudflare.yml b/.forgejo/workflows/deploy-cloudflare.yml
index 6645bbf..634a02e 100644
--- a/.forgejo/workflows/deploy-cloudflare.yml
+++ b/.forgejo/workflows/deploy-cloudflare.yml
@@ -36,19 +36,21 @@ jobs:
             exit 2
           fi
 
-          rm -rf .src
-          mkdir -p .src
+          rm -rf .repo
+          mkdir -p .repo
+
+          # Use the authenticated API archive endpoint (works for private repos).
           curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \
-            "https://codeberg.org/every-channel/every.channel/archive/${GITHUB_SHA}.tar.gz" \
-            -o .src/src.tgz
-          tar -xzf .src/src.tgz -C .src --strip-components=1
-          rsync -a .src/ ./
-          rm -rf .src
+            "https://codeberg.org/api/v1/repos/every-channel/every.channel/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \
+            -o .repo/src.tgz
+          tar -xzf .repo/src.tgz -C .repo --strip-components=1
+          rm -f .repo/src.tgz
 
       - name: Bootstrap runner deps
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           install -d -m 755 "$HOME/.local/bin"
           echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
           export PATH="$HOME/.local/bin:$PATH"
@@ -105,6 +107,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
             -H "content-type: application/json" \
             "https://codeberg.org/api/v1/repos/every-channel/every.channel/statuses/${GITHUB_SHA}" \
@@ -116,6 +119,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
             echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
             exit 2
@@ -132,6 +136,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           key_file="$HOME/.ssh/age_forge_ed25519"
           secret_file="secrets/cloudflare-api-token.age"
           if [[ ! -f "$secret_file" ]]; then
@@ -150,6 +155,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           install -d -m 755 "$HOME/.local/bin"
           export PATH="$HOME/.local/bin:$PATH"
           if ! command -v cargo >/dev/null 2>&1; then
@@ -183,6 +189,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          cd .repo
           cd ../../../deploy/cloudflare-worker
           npm ci
           npx wrangler deploy