space/evil-wordle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: space:f478c335fb597c2f6bef6f8532bbc0ad57c1a1fe
Branches Tags
space:main
...
compare: space:76e6ced2058525cc6d4aed400bda65d701e78f64
Branches Tags
space:main

2 Commits
f478c335fb ... 76e6ced205

Author SHA1 Message Date
Space-Banane
76e6ced205 Use explicit Gitea registry credentials
Some checks are pending
test-build-publish / docker (push) Has started running
Details
2026-05-14 18:35:41 +02:00
Space-Banane
5b442b09f5 Harden registry credentials in workflow 2026-05-14 18:13:12 +02:00
2 changed files with 54 additions and 10 deletions
Expand all files Collapse all files

56
.gitea/workflows/ci.yml
View File

@@ -43,12 +43,48 @@ jobs:
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v3
- name: Resolve registry settings
id: registry
shell: bash
env:
SECRET_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
SECRET_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
SECRET_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
SECRET_IMAGE: ${{ secrets.REGISTRY_IMAGE }}
run: |
set -euo pipefail
username="${SECRET_USERNAME:-}"
password="${SECRET_PASSWORD:-${SECRET_TOKEN:-}}"
image="${SECRET_IMAGE:-gitea.reversed.dev/space/evil-wordle}"
if [ -z "$username" ]; then
echo "::error::Registry username is empty. Set REGISTRY_USERNAME to the Gitea user that owns the token."
exit 1
fi
if [ -z "$password" ]; then
echo "::error::Registry password is empty. Set REGISTRY_PASSWORD to a Gitea token with package read/write access."
exit 1
fi
{
echo "username=$username"
echo "image=$image"
} >> "$GITHUB_OUTPUT"
echo "::add-mask::$password"
- name: Log in to Gitea registry - name: Log in to Gitea registry
uses: docker/login-action@v3 shell: bash
with: env:
registry: gitea.reversed.dev REGISTRY_USERNAME: ${{ steps.registry.outputs.username }}
username: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
password: ${{ secrets.REGISTRY_PASSWORD }} REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
set -euo pipefail
password="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
echo "::add-mask::$password"
echo "$password" | docker login gitea.reversed.dev -u "$REGISTRY_USERNAME" --password-stdin
- name: Compute image tags - name: Compute image tags
id: meta id: meta
@@ -56,13 +92,14 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
short_sha="${GITHUB_SHA::7}" short_sha="${GITHUB_SHA::7}"
tags="${{ secrets.REGISTRY_IMAGE }}:${short_sha}" image="${{ steps.registry.outputs.image }}"
tags="${image}:${short_sha}"
if [ "${GITHUB_REF_NAME}" = "main" ]; then if [ "${GITHUB_REF_NAME}" = "main" ]; then
tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:latest" tags="${tags}\n${image}:latest"
fi fi
if [[ "${GITHUB_REF_TYPE}" = "tag" ]]; then if [[ "${GITHUB_REF_TYPE}" = "tag" ]]; then
clean_tag="${GITHUB_REF_NAME#v}" clean_tag="${GITHUB_REF_NAME#v}"
tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:${clean_tag}" tags="${tags}\n${image}:${clean_tag}"
fi fi
{ {
echo 'tags<<EOF' echo 'tags<<EOF'
@@ -83,6 +120,8 @@ jobs:
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
token="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
export REGISTRY_PASSWORD="$token"
python3 - <<'PY' python3 - <<'PY'
import json import json
import os import os
@@ -128,3 +167,4 @@ jobs:
PY PY
env: env:
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

8
README.md
View File

@@ -36,9 +36,13 @@ Gitea Actions workflow: `.gitea/workflows/ci.yml`
Required repository or organization secrets: Required repository or organization secrets:
- `REGISTRY_USERNAME`: Gitea username allowed to publish packages
- `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access - `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access
- `REGISTRY_IMAGE`: full image name, for example `gitea.reversed.dev/space/evil-wordle` - `REGISTRY_USERNAME`: Gitea username that owns the token
- `REGISTRY_IMAGE`: optional; defaults to `gitea.reversed.dev/space/evil-wordle`
The workflow also accepts `REGISTRY_TOKEN` as a fallback for `REGISTRY_PASSWORD`.
For organization packages such as `space/evil-wordle`, the username is still the actual Gitea user account for the token, not the organization name. That user needs permission to publish packages under `space`.
The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API. The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API.