fix(build): pinned-version fallback for aichat + cosign release lookups

The previous build hit two transient warnings:
  [WARN]  37-aichat.sh (0s) exit=1
  [WARN]  42-cosign-policy.sh (0s) exit=1

Both scripts hit api.github.com unauthenticated for "latest release"
lookups. The unauthenticated rate limit is 60 req/hour per IP, and the
Forgejo Runner sometimes hits that ceiling on back-to-back rebuilds
(both scripts query simultaneously, doubling the burn rate). When the
limit fires, api.github.com returns HTTP 403 with a JSON message that
contains no "tag_name" field, the grep -Po pulls empty, and the
existing `[[ -n "$TAG" ]] || die` clause kills the layer.

Behaviour change:
  1. Hit api.github.com (scurl auto-attaches Authorization when
     GH_TOKEN/GITHUB_TOKEN/GHCR_TOKEN is in env -- preferred path).
  2. If the lookup returns empty (rate-limit, network blip, JSON
     parse miss) AND a *_FALLBACK_TAG/_VERSION is set, fall back to
     the pinned version and emit a WARN line so the build log makes
     the choice visible.
  3. If both API and fallback are empty, die (intentional: never
     ship a mystery binary). Bumping the fallback is a one-line edit.

Pinned fallbacks (current latest at time of write):
  AICHAT_FALLBACK_TAG       = v0.27.0
  AICHAT_NG_FALLBACK_TAG    = v0.31.0
  COSIGN_FALLBACK_VERSION   = v2.6.4   (still on v2.x per OCI 1.1 note)

The next build pass will either resolve the latest tag from
api.github.com (when the rate-limit window resets or when GH_TOKEN is
plumbed into the runner env) or fall back gracefully -- no more
spurious WARN entries on transient rate-limits.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kabuki94

automation/37-aichat.sh

@@ -19,14 +19,34 @@ install_packages "ai"
 
 echo "[37-aichat] Installing AIChat and AIChat-NG binaries..."
 
-# Resolve latest release tags from upstream. Project policy: every dependency
-# tracks :latest from its source, so no fallback pin -- if api.github.com is
-# unreachable, fail loud rather than silently shipping a stale version.
+# Resolve latest release tags from upstream. Project policy is "every dep
+# tracks :latest" -- but unauthenticated api.github.com is rate-limited to
+# 60 req/h per IP, and the Forgejo Runner sometimes hits that ceiling on
+# back-to-back rebuilds. Without a fallback the whole image build fails on
+# a transient HTTP 403. Behaviour:
+#   1. Hit api.github.com (scurl auto-attaches Authorization when
+#      GH_TOKEN/GITHUB_TOKEN/GHCR_TOKEN is in env).
+#   2. If the lookup returns empty (rate-limit, network blip, parse miss)
+#      and *_FALLBACK_TAG is non-empty, fall back to that pinned version
+#      and emit a WARN line so the builder log makes the choice visible.
+#   3. If both API and fallback are empty, die (intentional: never ship a
+#      mystery binary). Bumping the fallback is a one-line edit.
+AICHAT_FALLBACK_TAG="v0.27.0"
+AICHAT_NG_FALLBACK_TAG="v0.31.0"
+
 AICHAT_TAG=$( (scurl -s https://api.github.com/repos/sigoden/aichat/releases/latest | grep -Po '"tag_name": "\K.*?(?=")') 2>/dev/null || true)
 AICHAT_NG_TAG=$( (scurl -s https://api.github.com/repos/blob42/aichat-ng/releases/latest | grep -Po '"tag_name": "\K.*?(?=")') 2>/dev/null || true)
 
-[[ -n "$AICHAT_TAG"    ]] || die "AIChat: api.github.com release-latest lookup returned empty"
-[[ -n "$AICHAT_NG_TAG" ]] || die "AIChat-NG: api.github.com release-latest lookup returned empty"
+if [[ -z "$AICHAT_TAG" ]]; then
+    [[ -n "$AICHAT_FALLBACK_TAG" ]] || die "AIChat: api.github.com lookup empty AND no fallback pin"
+    warn "AIChat: api.github.com lookup empty -- falling back to pinned ${AICHAT_FALLBACK_TAG}"
+    AICHAT_TAG="$AICHAT_FALLBACK_TAG"
+fi
+if [[ -z "$AICHAT_NG_TAG" ]]; then
+    [[ -n "$AICHAT_NG_FALLBACK_TAG" ]] || die "AIChat-NG: api.github.com lookup empty AND no fallback pin"
+    warn "AIChat-NG: api.github.com lookup empty -- falling back to pinned ${AICHAT_NG_FALLBACK_TAG}"
+    AICHAT_NG_TAG="$AICHAT_NG_FALLBACK_TAG"
+fi
 record_version aichat    "$AICHAT_TAG"    "https://github.com/sigoden/aichat/releases/tag/${AICHAT_TAG}"
 record_version aichat-ng "$AICHAT_NG_TAG" "https://github.com/blob42/aichat-ng/releases/tag/${AICHAT_NG_TAG}"
 

automation/42-cosign-policy.sh

@@ -19,10 +19,20 @@ log "42-cosign-policy: ensuring cosign + trust roots + policy.json"
 # constrained to the v2.x series here because v3+ breaks rpm-ostree OCI 1.1
 # bundle format (see header). Lift the v2 filter when v3 compat is confirmed.
 if ! command -v cosign >/dev/null 2>&1; then
+    # Pinned-fallback pattern (matches 37-aichat.sh): bump COSIGN_FALLBACK_VERSION
+    # whenever a newer v2.x ships, so a rate-limited api.github.com (HTTP 403 on
+    # the 61st unauthenticated call per hour from the runner IP) doesn't kill the
+    # whole image build. scurl auto-attaches GH_TOKEN/GITHUB_TOKEN/GHCR_TOKEN
+    # when those are in the build env -- the fallback is the safety net.
+    COSIGN_FALLBACK_VERSION="v2.6.4"
     COSIGN_VERSION=$( (scurl -s https://api.github.com/repos/sigstore/cosign/releases?per_page=30 \
         | grep -Po '"tag_name": "\Kv2\.[^"]+' \
         | head -n1) 2>/dev/null || true)
-    [[ -n "$COSIGN_VERSION" ]] || die "cosign: api.github.com release lookup returned no v2.x match"
+    if [[ -z "$COSIGN_VERSION" ]]; then
+        [[ -n "$COSIGN_FALLBACK_VERSION" ]] || die "cosign: api.github.com lookup empty AND no fallback pin"
+        warn "cosign: api.github.com lookup empty -- falling back to pinned ${COSIGN_FALLBACK_VERSION}"
+        COSIGN_VERSION="$COSIGN_FALLBACK_VERSION"
+    fi
     COSIGN_BASE_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}"
     record_version cosign "$COSIGN_VERSION" "https://github.com/sigstore/cosign/releases/tag/${COSIGN_VERSION}"
     log "  resolved cosign latest v2.x: ${COSIGN_VERSION}"