PR #1029 added a step-06 PATCH to flip mirror=false before push so
the cutover-helmrepository-patches Job could write HelmRepository
URL pivots to local Gitea. On Gitea 1.22.3 the PATCH returns 200
but silently no-ops — `mirror_interval` updates but `mirror: true`
stays. The repo remains read-only and step-06 still hits HTTP 403
"remote: mirror repository is read-only". Reproduced on otech127
2026-05-05 with chart 0.1.22 deployed.
Per ADR (cutover ends upstream tracking — Sovereign goes
self-hosted from this point), the architecturally correct fix is
to never create the mirror in the first place. Step-01 now creates
a regular Gitea repo and bare-clones+pushes upstream content. All
refs (branches+tags) replicate via `git push --mirror --force`,
which is idempotent on re-runs.
Trade-off: post-cutover Sovereigns no longer auto-sync from
upstream — that's the intended cutover semantics anyway. Operator
re-runs this Job manually for chart rollouts (next-session
follow-up: dedicated post-cutover sync mechanism, perhaps a
periodic CronJob the operator can opt into).
Bumps:
- bp-self-sovereign-cutover chart 0.1.22 → 0.1.23
- bootstrap-kit pin 0.1.22 → 0.1.23
Co-authored-by: Hati Yildiz <hatiyildiz@openova.io>
a6fb97f2ef