fix(forgejo): support fallback for all forgejo-* host types

[2franix]

Changes

When running renovate against my self-hosted forgejo instance, I noticed that some requests to forgejo API were not properly authenticated and were failing with 403. My config file was:

module.exports = {
  platform: "forgejo",
  endpoint: "https://---redacted---",
  autodiscover: true,
}

I was also setting the RENOVATE_TOKEN env var with a valid token. As a user, I am expecting this to be sufficient for any API call targeting my instance.

After some investigation, I noticed that requests with hostType: 'forgejo' were authenticated and successful but those with hostType: 'forgejo-tags' were left unauthenticated and failing. I noticed that adding an explicit host rule with hostType: 'forgejo-tags' and proper authentication was indeed making the calls succeed. But as a user, I don't expect to have to repeat my token for each and every host subtype.

I dug a little more in the code and found -I think- the cause of the bug: lib/util/http/host-rules.ts is not applying any fallback mechanism like it does for gitea. Since gitea and forgejo are still very close to one another in terms of behavior, that does not seem right. I added the fallback and my 403 errors went away.

When investigating, I found another place where a fallback was present for gitea but was missing for forgejo: lib/util/http/auth.ts applies bearer auth if a token is present. I figured this deserved a fix as well but that does not seem to have any impact on my issue, so I am not quite sure if this change is relevant or not. Hopefully you can :)

Disclaimer

I humbly confess I did not understand all the ins and outs of authentication in renovate. I used my intuition and common sense to hopefully fix what I believe to be a bug in renovate. But give me your honest feedback about both changes. If they should deserve separate PRs or if they are not ideal, I am happy to improve the PR.

Context

Please select one of the following:

• This closes an existing Issue, Closes: #
• This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

• No — I did not use AI for this contribution. (I'd rather die than do such thing 😱)
• Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
• Yes — substantive assistance (AI-generated non‑trivial portions of code, tests, or documentation).
• Yes — other (please describe):

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required, to my knowledge. Let me know if there are places that deserve an update, though!

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests, but ran on a real repository, or
• Both unit tests + ran on a real repository

The public repository: none. I used a private repo.

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

2franix seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[2franix]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
2franix seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Not sure why the CLA bot changed its mind. I did sign the CLA and the email address stored in my commits are now linked to my GH account.

[github-actions]

Hi there,

You are using done comments which cause a lot of noise/notifications. Instead, please use GitHub's web interface to request another review. Please read our contributing guidelines to reduce noise.

Good luck,

The Renovate team

[github-actions]

🎉 This PR is included in version 42.58.3 🎉

The release is available on:

• GitHub release
• 42.58.3

Your semantic-release bot 📦🚀