fix: update team creation to match new Forgejo SDK requirements

Updated the team creation logic to use the new UnitsMap structure
required by the latest Forgejo SDK version. Added explicit error
handling for the team creation process to ensure failures are properly
returned.

Author: chmouel

pkg/provider/gitea/acl.go

@@ -23,6 +23,10 @@ func (v *Provider) CheckPolicyAllowing(_ context.Context, event *info.Event, all
 		// we explicitly disallow the policy when there is no team on org
 		return false, fmt.Sprintf("no teams on org %s", event.Organization)
 	}
+	if resp.StatusCode == http.StatusForbidden {
+		v.Logger.Warnf("policy check: ListOrgTeams returned 403 for org %s, sender %s: %v", event.Organization, event.Sender, err)
+		return false, fmt.Sprintf("unable to list teams on org %s: the token used doesn't have permission to list teams in this org, make sure the token owner is a member of the org", event.Organization)
+	}
 	if err != nil {
 		// probably a 500 or another api error, no need to try again and again with other teams
 		return false, fmt.Sprintf("error while getting org team, error: %s", err.Error())

pkg/provider/gitea/acl_test.go

@@ -25,6 +25,7 @@ func TestCheckPolicyAllowing(t *testing.T) {
 		name                string
 		allowedTeams        []string
 		listOrgReply        string
+		listOrgStatusCode   int
 		listTeamMemberships string
 		wantAllowed         bool
 		wantReason          string
@@ -58,6 +59,13 @@ func TestCheckPolicyAllowing(t *testing.T) {
 			wantReason:   `error while getting org team, error: invalid character 't' in literal true (expecting 'r')`,
 			listOrgReply: `ttttttaaa`,
 		},
+		{
+			name:              "forbidden when listing org teams",
+			allowedTeams:      []string{"allowedTeam"},
+			listOrgStatusCode: http.StatusForbidden,
+			wantAllowed:       false,
+			wantReason:        "unable to list teams on org myorg: the token used doesn't have permission to list teams in this org, make sure the token owner is a member of the org",
+		},
 	}
 
 	for _, tt := range tests {
@@ -69,8 +77,12 @@ func TestCheckPolicyAllowing(t *testing.T) {
 				Organization: "myorg",
 				Sender:       "allowedUser",
 			}
-			if tt.listOrgReply != "" {
+			if tt.listOrgReply != "" || tt.listOrgStatusCode != 0 {
 				mux.HandleFunc(fmt.Sprintf("/orgs/%s/teams", event.Organization), func(rw http.ResponseWriter, _ *http.Request) {
+					if tt.listOrgStatusCode != 0 {
+						rw.WriteHeader(tt.listOrgStatusCode)
+						return
+					}
 					fmt.Fprint(rw, tt.listOrgReply)
 				})
 			}

test/pkg/gitea/crd.go

@@ -2,6 +2,7 @@ package gitea
 
 import (
 	"context"
+	"fmt"
 	"os"
 
 	"codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v3"
@@ -15,8 +16,14 @@ import (
 const webhookSecretName = "webhook-secret"
 
 // CreateToken creates gitea token with all scopes.
+// It creates the token for the authenticated admin user rather than the org,
+// because Forgejo 13+ doesn't allow org tokens to list org teams.
 func CreateToken(topts *TestOpts) (string, error) {
-	token, _, err := topts.GiteaCNX.Client().CreateAccessToken(topts.Opts.Organization, forgejo.CreateAccessTokenOption{
+	userInfo, _, err := topts.GiteaCNX.Client().GetMyUserInfo()
+	if err != nil {
+		return "", fmt.Errorf("failed to get current user info: %w", err)
+	}
+	token, _, err := topts.GiteaCNX.Client().CreateAccessToken(userInfo.UserName, forgejo.CreateAccessTokenOption{
 		Name:   topts.TargetNS,
 		Scopes: []forgejo.AccessTokenScope{forgejo.AccessTokenScopeAll},
 	})

test/pkg/gitea/scm.go

@@ -112,13 +112,32 @@ func CreateGiteaRepo(giteaClient *forgejo.Client, user, name, defaultBranch, hoo
 	// Create a new repo
 	if onOrg {
 		logger.Infof("Creating org %s", name)
+		adminUser := user
 		user = "org-" + name
 		_, _, err := giteaClient.CreateOrg(forgejo.CreateOrgOption{
 			Name: user,
 		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to create org: %w", err)
 		}
+		// Ensure admin user is in the Owners team so that ListOrgTeams works
+		// with the admin token (Forgejo 13+ requires org membership).
+		teams, _, listErr := giteaClient.ListOrgTeams(user, forgejo.ListTeamsOptions{})
+		if listErr != nil {
+			logger.Warnf("failed to list org teams for %s: %v", user, listErr)
+		} else {
+			for _, team := range teams {
+				if team.Name == "Owners" {
+					_, addErr := giteaClient.AddTeamMember(team.ID, adminUser)
+					if addErr != nil {
+						logger.Warnf("failed to add user %s to Owners team in org %s: %v", adminUser, user, addErr)
+					} else {
+						logger.Infof("added user %s to Owners team in org %s", adminUser, user)
+					}
+					break
+				}
+			}
+		}
 		logger.Infof("Creating gitea repository on org %s", name)
 		repo, _, err = giteaClient.CreateOrgRepo(user, forgejo.CreateRepoOption{
 			Name:        name,
@@ -170,13 +189,16 @@ func GetGiteaRepo(giteaClient *forgejo.Client, user, name string, _ *zap.Sugared
 func CreateTeam(topts *TestOpts, orgName, teamName string) (*forgejo.Team, error) {
 	team, _, err := topts.GiteaCNX.Client().CreateTeam(orgName, forgejo.CreateTeamOption{
 		Permission: forgejo.AccessModeWrite,
-		Units: []forgejo.RepoUnitType{
-			forgejo.RepoUnitPulls,
+		UnitsMap: map[string]string{
+			string(forgejo.RepoUnitPulls): "write",
 		},
 		Name: teamName,
 	})
+	if err != nil {
+		return nil, err
+	}
 	topts.ParamsRun.Clients.Log.Infof("Team %s has been created on Org %s", team.Name, orgName)
-	return team, err
+	return team, nil
 }
 
 func RemoveCommentMatching(topts *TestOpts, commentString *regexp.Regexp) error {