Reduce nginx container log noise

.gitea/workflows/ci.yml

@@ -22,20 +22,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up Node.js
+      - name: Check app
-        uses: actions/setup-node@v4
+        run: docker build --target ci -t evil-wordle-ci .
-        with:
-          node-version: '22'
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Lint
-        run: npm run lint
-
-      - name: Build app
-        run: npm run build
 
       - name: Validate compose file
         run: docker compose config
@@ -43,12 +31,48 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Resolve registry settings
+        id: registry
+        shell: bash
+        env:
+          SECRET_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+          SECRET_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          SECRET_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          SECRET_IMAGE: ${{ secrets.REGISTRY_IMAGE }}
+        run: |
+          set -euo pipefail
+          username="${SECRET_USERNAME:-}"
+          password="${SECRET_PASSWORD:-${SECRET_TOKEN:-}}"
+          image="${SECRET_IMAGE:-gitea.reversed.dev/space/evil-wordle}"
+
+          if [ -z "$username" ]; then
+            echo "::error::Registry username is empty. Set REGISTRY_USERNAME to the Gitea user that owns the token."
+            exit 1
+          fi
+
+          if [ -z "$password" ]; then
+            echo "::error::Registry password is empty. Set REGISTRY_PASSWORD to a Gitea token with package read/write access."
+            exit 1
+          fi
+
+          {
+            echo "username=$username"
+            echo "image=$image"
+          } >> "$GITHUB_OUTPUT"
+
+          echo "::add-mask::$password"
+
       - name: Log in to Gitea registry
-        uses: docker/login-action@v3
+        shell: bash
-        with:
+        env:
-          registry: gitea.reversed.dev
+          REGISTRY_USERNAME: ${{ steps.registry.outputs.username }}
-          username: ${{ secrets.REGISTRY_USERNAME }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          set -euo pipefail
+          password="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
+          echo "::add-mask::$password"
+          echo "$password" | docker login gitea.reversed.dev -u "$REGISTRY_USERNAME" --password-stdin
 
       - name: Compute image tags
         id: meta
@@ -56,13 +80,14 @@ jobs:
         run: |
           set -euo pipefail
           short_sha="${GITHUB_SHA::7}"
-          tags="${{ secrets.REGISTRY_IMAGE }}:${short_sha}"
+          image="${{ steps.registry.outputs.image }}"
+          tags="${image}:${short_sha}"
           if [ "${GITHUB_REF_NAME}" = "main" ]; then
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:latest"
+            tags="${tags}\n${image}:latest"
           fi
           if [[ "${GITHUB_REF_TYPE}" = "tag" ]]; then
             clean_tag="${GITHUB_REF_NAME#v}"
-            tags="${tags}\n${{ secrets.REGISTRY_IMAGE }}:${clean_tag}"
+            tags="${tags}\n${image}:${clean_tag}"
           fi
           {
             echo 'tags<<EOF'
@@ -83,6 +108,8 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
+          token="${REGISTRY_PASSWORD:-${REGISTRY_TOKEN:-}}"
+          export REGISTRY_PASSWORD="$token"
           python3 - <<'PY'
           import json
           import os
@@ -128,3 +155,4 @@ jobs:
           PY
         env:
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

Dockerfile

@@ -1,11 +1,19 @@
-FROM node:22-alpine AS build
+FROM node:22-alpine AS deps
 WORKDIR /app
 COPY package*.json ./
 RUN npm ci
+
+FROM deps AS ci
+COPY . .
+RUN npm run lint
+RUN npm run build
+
+FROM deps AS build
 COPY . .
 RUN npm run build
 
 FROM nginx:1.27-alpine
+RUN sed -i 's#error_log /var/log/nginx/error.log notice;#error_log /var/log/nginx/error.log warn;#' /etc/nginx/nginx.conf
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=build /app/dist /usr/share/nginx/html
 EXPOSE 80

README.md

@@ -36,11 +36,15 @@ Gitea Actions workflow: `.gitea/workflows/ci.yml`
 
 Required repository or organization secrets:
 
-- `REGISTRY_USERNAME`: Gitea username allowed to publish packages
 - `REGISTRY_PASSWORD`: Gitea personal access token with package read/write access
-- `REGISTRY_IMAGE`: full image name, for example `gitea.reversed.dev/space/evil-wordle`
+- `REGISTRY_USERNAME`: Gitea username that owns the token
+- `REGISTRY_IMAGE`: optional; defaults to `gitea.reversed.dev/space/evil-wordle`
 
-The workflow uses `catthehacker/ubuntu:act-latest`, Docker Buildx, and links the published package back to the `space/evil-wordle` repository through the Gitea API.
+The workflow also accepts `REGISTRY_TOKEN` as a fallback for `REGISTRY_PASSWORD`.
+
+For organization packages such as `space/evil-wordle`, the username is still the actual Gitea user account for the token, not the organization name. That user needs permission to publish packages under `space`.
+
+The workflow uses `catthehacker/ubuntu:act-latest`, validates the app through the Dockerfile `ci` target, publishes with Docker Buildx, and links the package back to the `space/evil-wordle` repository through the Gitea API.
 
 On pushes to `main`, CI publishes: