Harden registry credentials in workflow

.gitea/workflows/ci.yml

@@ -43,12 +43,44 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Resolve registry settings
+        id: registry
+        shell: bash
+        env:
+          SECRET_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          SECRET_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          SECRET_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          SECRET_IMAGE: ${{ secrets.REGISTRY_IMAGE }}
+        run: |
+          set -euo pipefail
+          username="${SECRET_USERNAME:-${GITHUB_ACTOR}}"
+          password="${SECRET_PASSWORD:-${SECRET_TOKEN:-}}"
+          image="${SECRET_IMAGE:-gitea.reversed.dev/space/evil-wordle}"
+
+          if [ -z "$username" ]; then
+            echo "::error::Registry username is empty. Set REGISTRY_USERNAME or ensure GITHUB_ACTOR is available."
+            exit 1
+          fi
+
+          if [ -z "$password" ]; then
+            echo "::error::Registry password is empty. Set REGISTRY_PASSWORD to a Gitea token with package read/write access."
+            exit 1
+          fi
+
+          {
+            echo "username=$username"
+            echo "image=$image"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "::add-mask::$password"
+          echo "password=$password" >> "$GITHUB_OUTPUT"
+
       - name: Log in to Gitea registry
         uses: docker/login-action@v3
         with:
           registry: gitea.reversed.dev
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          username: ${{ steps.registry.outputs.username }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          password: ${{ steps.registry.outputs.password }}
 
       - name: Compute image tags
         id: meta
@@ -56,13 +88,14 @@ jobs:
         run: |
           set -euo pipefail
           short_sha="${GITHUB_SHA::7}"
-          tags="${{ secrets.REGISTRY_IMAGE }}:${short_sha}"
+          image="${{ steps.registry.outputs.image }}"
+          tags="${image}:${short_sha}"
           if [ "${GITHUB_REF_NAME}" = "main" ]; then
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:latest"
+            tags="${tags}\n${image}:latest"
           fi
           if [[ "${GITHUB_REF_TYPE}" = "tag" ]]; then
             clean_tag="${GITHUB_REF_NAME#v}"
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:${clean_tag}"
+            tags="${tags}\n${image}:${clean_tag}"
           fi
           {
             echo 'tags<<EOF'
@@ -127,4 +160,4 @@ jobs:
               raise
           PY
         env:
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_PASSWORD: ${{ steps.registry.outputs.password }}

README.md

@@ -36,9 +36,11 @@ Gitea Actions workflow: `.gitea/workflows/ci.yml`
 
 Required repository or organization secrets:
 
-- `REGISTRY_USERNAME`: Gitea username allowed to publish packages
 - `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access
-- `REGISTRY_IMAGE`: full image name, for example `gitea.reversed.dev/space/evil-wordle`
+- `REGISTRY_USERNAME`: optional; defaults to the Gitea Actions actor
+- `REGISTRY_IMAGE`: optional; defaults to `gitea.reversed.dev/space/evil-wordle`
+
+The workflow also accepts `REGISTRY_TOKEN` as a fallback for `REGISTRY_PASSWORD`.
 
 The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API.