feat(agent_loop): show CI run URL in 'CI passed' message (#151)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

DAGGER.md

@@ -91,3 +91,93 @@ The CI workflow in `.forgejo/workflows/ci.yml` is configured to use the Dagger m
 - **Check Suite:** Runs analysis and tests in parallel.
 - **Builds:** Produces Linux and Android artifacts.
 - **Caching:** When using the shared engine, CI runners benefit from the persistent cache on the host.
+
+## Credential Security — Keeping Production Secrets Off Codeberg
+
+### Problem
+
+The current setup stores two categories of secrets in Codeberg repository secrets:
+
+1. **Dagger access credentials** — TLS certificates used to connect to the remote Dagger engine via stunnel (`DAGGER_CA_CERT`, `DAGGER_CLIENT_CERT`, `DAGGER_CLIENT_KEY`, `DAGGER_STUNNEL_URL`).
+2. **Production secrets** — actual credentials for external services: `ANDROID_KEYSTORE_BASE64`, `ANDROID_KEYSTORE_PASSWORD`, `PLAY_STORE_CONFIG_JSON`, `SSH_PRIVATE_KEY`, `FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY`.
+
+If Codeberg is compromised, both categories are leaked. The Dagger TLS certificates enable access only to the Dagger engine and have limited blast radius. But the production secrets give direct access to the Play Store, the Android signing key, the deployment server, and Firebase — a much larger blast radius.
+
+**Goal:** Keep only Dagger access credentials in Codeberg. Store all production secrets on the Dagger host machine so they never touch Codeberg.
+
+### Option 1: Runner-level environment variables
+
+Store production secrets as environment variables in the Forgejo runner's systemd service (e.g., via a `EnvironmentFile=` in the service override). The runner injects host env vars into job processes automatically. CI workflows drop the `${{ secrets.XYZ }}` references for production secrets entirely — the variables are already present in the job environment.
+
+**Pro:**
+- No new infrastructure required.
+- Works with the existing `dagger call --progress=plain --secret env:VAR_NAME` argument style.
+- Secrets never enter Codeberg.
+- Straightforward to set up on a single self-hosted runner.
+
+**Con:**
+- Env vars are visible to every process on the runner host (e.g., via `/proc/<pid>/environ`).
+- Rotating a secret requires host access (no API).
+- Does not scale cleanly to multiple runners without a shared secrets mechanism.
+
+### Option 2: Secret files on the CI host with restricted permissions
+
+Store production secrets as files owned by the runner user with mode `600` (e.g., `/home/forgejo-runner/secrets/play_store.json`). A small setup script reads the files and either exports them as env vars or passes them directly as file-type arguments to `dagger call --progress=plain`. CI workflows contain no secret references at all.
+
+**Pro:**
+- OS-level file permissions limit access to the runner user.
+- Natural format for JSON payloads and key files.
+- Easy to audit (list files, check mtime).
+- No new infrastructure.
+
+**Con:**
+- Plaintext files on disk; root or backup access exposes them.
+- Workflow must know file paths (either hardcoded or by convention).
+- Rotation still requires host filesystem access.
+
+### Option 3: Dagger host as pipeline orchestrator
+
+Instead of the CI runner invoking the Dagger CLI directly, the CI job sends a trigger to the Dagger host over SSH. The Dagger host runs the pipeline locally against its own environment, where secrets live as env vars or files. Codeberg only stores the SSH key to reach the Dagger host — not the production secrets.
+
+```yaml
+# CI job only does this:
+- name: Trigger pipeline on Dagger host
+  run: ssh dagger-host "cd sharedinbox && task publish-android"
+  env:
+    SSH_PRIVATE_KEY: ${{ secrets.DAGGER_TRIGGER_SSH_KEY }}
+```
+
+**Pro:**
+- Production secrets never leave the Dagger host.
+- Codeberg stores exactly one secret: the trigger SSH key.
+- All deployment logic and secrets are fully contained on the host.
+
+**Con:**
+- Harder to stream structured CI logs back to Codeberg Actions.
+- Dynamic context (commit SHA, PR branch) must be passed explicitly over SSH.
+- The trigger SSH key still grants shell access to the host, so its compromise has its own blast radius.
+- CI becomes a "fire-and-forget" call, making failure attribution harder.
+
+### Option 4: External secret manager (e.g., HashiCorp Vault)
+
+Run a secret manager co-located with the Dagger host. The CI job authenticates with a short-lived AppRole credential (stored in Codeberg) and retrieves secrets at runtime. Vault can also be configured with IP-allow-lists to further restrict who can authenticate.
+
+**Pro:**
+- Full audit trail: every secret read is logged with a timestamp and caller identity.
+- Fine-grained access control per secret.
+- Built-in versioning and rotation support.
+- Industry-standard approach; scales to team or multi-runner setups.
+
+**Con:**
+- Significant additional infrastructure to install, configure, and maintain.
+- Vault credentials (RoleID + SecretID) still need to be in Codeberg, though with a smaller blast radius than raw secrets.
+- Vault itself becomes a security-critical single point of failure.
+- Operational overhead likely disproportionate for a small single-developer project.
+
+### Recommendation
+
+**Option 1** (runner-level env vars) or **Option 2** (secret files) are the pragmatic starting point for a single self-hosted runner. They require no new infrastructure and move all production secrets off Codeberg immediately.
+
+**Option 3** (Dagger host as orchestrator) is worth considering once the trigger SSH key replaces all other secrets in Codeberg — it offers the cleanest security boundary at the cost of reduced CI observability.
+
+**Option 4** (Vault) becomes worthwhile if the project grows to multiple runners or team members who each need audited access to deploy credentials.

Taskfile.yml

@@ -260,11 +260,8 @@ tasks:
 
   publish-website:
     desc: Build and publish website via Dagger
-    preconditions:
-      - sh: test -n "$SSH_PRIVATE_KEY"
-        msg: "SSH_PRIVATE_KEY is not set"
     cmds:
-      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+      - dagger call --progress=plain -q -m ci --source=. publish-website --ssh-key file:$HOME/.ssh/id_ed25519 --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
 
   check-dagger:
     desc: Run full check suite via Dagger (with OTEL timing report if python3 is available)

scripts/agent_loop.py

@@ -147,12 +147,25 @@ def _latest_ci_run() -> dict | None:
 
 
 def _latest_ci_run_for_branch(branch: str) -> dict | None:
-    """Return the latest CI run for a specific branch, or None."""
+    """Return the latest CI run for a specific branch, or None.
+
+    Forgejo's workflow_runs API has no top-level head_branch field.
+    For push events the branch is in ``prettyref``; for pull_request
+    events it lives inside ``event_payload["pull_request"]["head"]["ref"]``.
+    """
     data = _tea_get(f"repos/{REPO}/actions/runs?limit=20")
     runs = (data or {}).get("workflow_runs", [])
     for run in runs:
-        if run.get("head_branch") == branch:
-            return run
+        if run.get("event") == "pull_request":
+            try:
+                payload = json.loads(run.get("event_payload", "{}"))
+                if payload.get("pull_request", {}).get("head", {}).get("ref") == branch:
+                    return run
+            except (json.JSONDecodeError, AttributeError):
+                pass
+        else:
+            if run.get("prettyref") == branch:
+                return run
     return None
 
 
@@ -515,7 +528,8 @@ def _run_loop() -> int:
             )
             return 0
         _close_issue(pending_issue)
-        print(f"CI passed — closed {_issue_url(pending_issue)}.")
+        ci_run_part = f" {_ci_run_url(run['id'])}" if run else ""
+        print(f"CI passed{ci_run_part} — closed {_issue_url(pending_issue)}.")
         return 0
 
     # Find a Ready issue.

scripts/generate_build_history.py

@@ -43,8 +43,13 @@ def list_remote_files(ssh_user: str, ssh_host: str, pattern: str) -> list[str]:
         text=True,
     )
     if result.returncode != 0:
+        print(
+            f"WARNING: ssh exit {result.returncode} listing {pattern} on {ssh_user}@{ssh_host}"
+            " — build history will be empty for this pattern",
+            file=sys.stderr,
+        )
         print(result.stderr, file=sys.stderr)
-        raise subprocess.CalledProcessError(result.returncode, result.args)
+        return []
     return [line.strip() for line in result.stdout.splitlines() if line.strip()]
 
 

scripts/test_agent_loop.py

@@ -267,6 +267,33 @@ class TestPendingCi(unittest.TestCase):
         self.assertEqual(result, 0)
         mock_close.assert_called_once_with(10)
 
+    def test_ci_passed_output_includes_ci_run_url(self):
+        """'CI passed' line includes the CI run URL when a run is available."""
+        buf = io.StringIO()
+        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
+             patch("agent_loop._latest_ci_run", return_value={"id": 4145144, "status": "success"}), \
+             patch("agent_loop._close_issue"), \
+             patch("agent_loop._clear_state"), \
+             contextlib.redirect_stdout(buf):
+            agent_loop._run_loop()
+        output = buf.getvalue()
+        self.assertIn("https://codeberg.org/guettli/sharedinbox/actions/runs/4145144", output)
+        self.assertIn("https://codeberg.org/guettli/sharedinbox/issues/10", output)
+
+    def test_ci_passed_output_without_run_omits_ci_url(self):
+        """'CI passed' line still works when no CI run is available."""
+        buf = io.StringIO()
+        with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
+             patch("agent_loop._latest_ci_run", return_value=None), \
+             patch("agent_loop._close_issue"), \
+             patch("agent_loop._clear_state"), \
+             contextlib.redirect_stdout(buf):
+            agent_loop._run_loop()
+        output = buf.getvalue()
+        self.assertIn("CI passed", output)
+        self.assertIn("https://codeberg.org/guettli/sharedinbox/issues/10", output)
+        self.assertNotIn("/actions/runs/", output)
+
     def test_does_not_close_issue_when_ci_fails(self):
         """After issue agent finishes, loop must NOT close the issue if CI failed."""
         with patch("agent_loop._read_state", return_value=self._dead_state(10)), \
@@ -284,7 +311,7 @@ class TestPendingCi(unittest.TestCase):
         """When CI is still running after agent finishes, pending issue is preserved."""
         written = {}
 
-        def fake_write_state(pid, issue, kind, issue_title=None):
+        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
             written["pid"] = pid
             written["issue"] = issue
             written["kind"] = kind
@@ -304,7 +331,7 @@ class TestPendingCi(unittest.TestCase):
         """When CI fails after agent finishes, ci-fix state includes the pending issue."""
         written = {}
 
-        def fake_write_state(pid, issue, kind, issue_title=None):
+        def fake_write_state(pid, issue, kind, issue_title=None, session_name=None, ci_run_id=None):
             written["pid"] = pid
             written["issue"] = issue
             written["kind"] = kind
@@ -396,5 +423,71 @@ class TestOutputFormat(unittest.TestCase):
         self.assertIn("Fix something", output)
 
 
+class TestLatestCiRunForBranch(unittest.TestCase):
+    """Tests for _latest_ci_run_for_branch — Forgejo API field mapping."""
+
+    def _make_pr_run(self, branch: str, status: str = "success") -> dict:
+        payload = json.dumps({"pull_request": {"head": {"ref": branch}}})
+        return {"event": "pull_request", "event_payload": payload, "status": status, "id": 1}
+
+    def _make_push_run(self, prettyref: str, status: str = "success") -> dict:
+        return {"event": "push", "prettyref": prettyref, "status": status, "id": 2}
+
+    def _mock_tea_runs(self, runs):
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}) as m:
+            yield m
+
+    def test_pr_event_matches_via_event_payload(self):
+        run = self._make_pr_run("issue-166-fix")
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNotNone(result)
+        self.assertEqual(result["id"], 1)
+
+    def test_pr_event_does_not_match_wrong_branch(self):
+        run = self._make_pr_run("issue-99-fix")
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNone(result)
+
+    def test_push_event_matches_via_prettyref(self):
+        run = self._make_push_run("issue-166-fix")
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNotNone(result)
+        self.assertEqual(result["id"], 2)
+
+    def test_push_event_prettyref_pr_number_does_not_match_branch(self):
+        # Forgejo sets prettyref="#169" for PR runs — must not match branch name.
+        run = {"event": "push", "prettyref": "#169", "status": "success", "id": 3}
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNone(result)
+
+    def test_head_branch_field_absent_still_works(self):
+        # Regression: the old code used run.get("head_branch") which is absent in Forgejo.
+        run = self._make_pr_run("issue-166-fix")
+        self.assertNotIn("head_branch", run)
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": [run]}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNotNone(result)
+
+    def test_returns_none_when_no_runs(self):
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": []}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertIsNone(result)
+
+    def test_returns_first_matching_run(self):
+        runs = [
+            self._make_pr_run("issue-166-fix", status="success"),
+            self._make_pr_run("issue-166-fix", status="failure"),
+        ]
+        runs[0]["id"] = 10
+        runs[1]["id"] = 11
+        with patch("agent_loop._tea_get", return_value={"workflow_runs": runs}):
+            result = agent_loop._latest_ci_run_for_branch("issue-166-fix")
+        self.assertEqual(result["id"], 10)
+
+
 if __name__ == "__main__":
     unittest.main()