feat: convert Forgejo and Gitea SDK records

[mariusvniekerk]

Maps concrete Forgejo and Gitea SDK structs into the shared gitea-like DTO layer, including Forgejo Actions runs and Gitea draft pull requests.

[mariusvniekerk]

This change is part of the following stack:

• docs: plan Forgejo provider implementation #265
  • feat: add Forgejo and Gitea SDK client skeletons #267
    • feat: share Forgejo and Gitea provider core #268
      • feat: convert Forgejo and Gitea SDK records #269 ◀
        • feat: read Forgejo and Gitea through shared provider core #270
          • feat: start Forgejo and Gitea providers at runtime #271
            • feat: recognize Forgejo and Gitea provider configuration #266
              • test: cover Forgejo and Gitea repository imports #272
                • feat: expose Forgejo and Gitea repository imports #273
                  • test: add Forgejo and Gitea container fixtures #274
                  • feat: enable proven Forgejo and Gitea mutations #275
                  • docs: document Forgejo and Gitea setup #276
                  • feat: add gitealike Actions CI parity #281

_{Change managed by git-spice.}

[roborev-ci]

roborev: Combined Review (da3c8f2)

Medium-risk gaps remain: Forgejo draft state is dropped, and draft normalization lacks required E2E coverage.

Medium

• internal/platform/forgejo/convert.go:39
  Forgejo pull requests do not populate PullRequestDTO.Draft, so draft Forgejo PRs normalize as non-draft even though shared normalization now relies on pr.Draft. Map the Forgejo SDK draft/WIP field in convertPullRequest and add converter coverage for a draft PR.

• internal/platform/gitealike/normalize.go:67
  The draft-state data flow changed, but coverage is limited to package-level unit tests. Add an E2E test through the real HTTP API and SQLite path that syncs or seeds a Gitea-like draft PR and verifies the API returns it as draft.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (bebe647)

No Medium-or-higher findings were reported across the reviews.

All agents that provided findings agree the diff is clean for reportable issues.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (90ac716)

Medium-risk issues remain around Forgejo draft detection and missing full-flow coverage.

Medium

• internal/platform/forgejo/convert.go:42 - Forgejo draft state is inferred from a hard-coded title-prefix list. Instances with different WIP prefixes may sync draft PRs as non-draft, or regular PRs as draft. Use a Forgejo API/SDK draft or WIP field if available; otherwise make accepted WIP prefixes configurable and test that path.

• internal/platform/forgejo/convert_test.go:13 - Draft-state coverage is limited to direct converter unit tests. Add an end-to-end/API + SQLite test that syncs a Forgejo-like WIP PR through the real data flow and asserts the stored/served draft state.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (e278070)

Adds Forgejo/Gitea conversion coverage, but one medium test-coverage gap remains.

Medium

• internal/platform/forgejo/convert_test.go:12, internal/platform/gitea/convert_test.go:12
  The new Forgejo/Gitea SDK-to-DTO flow, including draft/WIP state, is only covered by private converter unit tests. There is no full sync path coverage through HTTP fixtures, SQLite persistence, and API readback.
  Fix: Add e2e coverage with Forgejo/Gitea API fixtures that sync a PR and verify persisted/API-visible fields such as draft state, labels, branch metadata, merged/closed times, and CI status.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (94e4fda)

Clean review: no Medium, High, or Critical findings were reported.

All agents either found no issues or provided no reportable findings.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (596d83f)

Medium issues found; no Critical or High findings reported.

Medium

• internal/platform/gitea/convert.go:134, internal/platform/forgejo/convert.go:142 - Unvalidated CI status URLs are persisted and rendered as clickable links. A malicious or compromised status publisher could set target_url to a dangerous scheme such as javascript:, which may execute script or navigate the local dashboard unexpectedly when clicked.
  Fix: Allow only http and https status target URLs before storing or rendering them, and add API/UI coverage for rejected unsafe schemes.

• internal/platform/forgejo/convert.go:43 - The Forgejo WIP draft fix lacks full conversion-path coverage. The new full-stack test seeds Draft: true directly into a gitealike.PullRequestDTO, so it would still pass if forgejoDraftFromTitle or SDK-to-DTO conversion regressed.
  Fix: Add e2e coverage that drives a Forgejo WIP pull request through the real conversion path and verifies the stored/API merge request has IsDraft: true.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (6aa70c5)

Summary verdict: one medium test coverage gap remains; no higher-severity issues were reported.

Medium

• internal/server/api_test.go:8699 - The unsafe gitealike status URL handling is only covered at converter-unit level. There is no full-stack HTTP API plus SQLite test proving an unsafe status TargetURL is discarded before persistence and omitted from client responses.
  • Fix: Add an e2e/API test that syncs a gitealike PR status with a javascript: or otherwise unsafe target URL, then assert the stored merge request/check payload and API response do not expose it.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (25dd2b8)

No Medium, High, or Critical findings were reported.

All reported issues were Low severity, so they are omitted per the review rules.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (809f2dc)

Summary verdict: One medium test coverage gap remains; no high or critical findings were reported.

Medium

• internal/platform/gitealike/normalize.go:259
NormalizeStatuses sanitizes action run HTMLURL values, but coverage only exercises unsafe commit status URLs. An unsafe action run URL could regress without an e2e/API+SQLite test catching it.
  Fix: Extend the gitealike server persistence/readback test to return an action run with a javascript: HTMLURL and assert the API/DB CIChecksJSON does not contain it.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (b2ae569)

No Medium, High, or Critical issues found.

All reviewers agreed the change is clean.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

[roborev-ci]

roborev: Combined Review (add0e73)

All reviewers found no Medium-or-higher issues.

No issues found.

---

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)