Harden registry credentials in workflow

2026-05-14 18:13:12 +02:00
parent f478c335fb
commit 5b442b09f5
2 changed files with 43 additions and 8 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -43,12 +43,44 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Resolve registry settings
+        id: registry
+        shell: bash
+        env:
+          SECRET_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          SECRET_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          SECRET_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          SECRET_IMAGE: ${{ secrets.REGISTRY_IMAGE }}
+        run: |
+          set -euo pipefail
+          username="${SECRET_USERNAME:-${GITHUB_ACTOR}}"
+          password="${SECRET_PASSWORD:-${SECRET_TOKEN:-}}"
+          image="${SECRET_IMAGE:-gitea.reversed.dev/space/evil-wordle}"
+
+          if [ -z "$username" ]; then
+            echo "::error::Registry username is empty. Set REGISTRY_USERNAME or ensure GITHUB_ACTOR is available."
+            exit 1
+          fi
+
+          if [ -z "$password" ]; then
+            echo "::error::Registry password is empty. Set REGISTRY_PASSWORD to a Gitea token with package read/write access."
+            exit 1
+          fi
+
+          {
+            echo "username=$username"
+            echo "image=$image"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "::add-mask::$password"
+          echo "password=$password" >> "$GITHUB_OUTPUT"
+
      - name: Log in to Gitea registry
        uses: docker/login-action@v3
        with:
          registry: gitea.reversed.dev
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          username: ${{ steps.registry.outputs.username }}
+          password: ${{ steps.registry.outputs.password }}

      - name: Compute image tags
        id: meta
@@ -56,13 +88,14 @@ jobs:
        run: |
          set -euo pipefail
          short_sha="${GITHUB_SHA::7}"
-          tags="${{ secrets.REGISTRY_IMAGE }}:${short_sha}"
+          image="${{ steps.registry.outputs.image }}"
+          tags="${image}:${short_sha}"
          if [ "${GITHUB_REF_NAME}" = "main" ]; then
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:latest"
+            tags="${tags}\n${image}:latest"
          fi
          if [[ "${GITHUB_REF_TYPE}" = "tag" ]]; then
            clean_tag="${GITHUB_REF_NAME#v}"
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:${clean_tag}"
+            tags="${tags}\n${image}:${clean_tag}"
          fi
          {
            echo 'tags<<EOF'
@@ -127,4 +160,4 @@ jobs:
              raise
          PY
        env:
-          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_PASSWORD: ${{ steps.registry.outputs.password }}
--- a/README.md
+++ b/README.md
@@ -36,9 +36,11 @@ Gitea Actions workflow: `.gitea/workflows/ci.yml`

 Required repository or organization secrets:

- `REGISTRY_USERNAME`: Gitea username allowed to publish packages
 - `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access
- `REGISTRY_IMAGE`: full image name, for example `gitea.reversed.dev/space/evil-wordle`
+- `REGISTRY_USERNAME`: optional; defaults to the Gitea Actions actor
+- `REGISTRY_IMAGE`: optional; defaults to `gitea.reversed.dev/space/evil-wordle`
+
+The workflow also accepts `REGISTRY_TOKEN` as a fallback for `REGISTRY_PASSWORD`.

 The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API.