From c6cd1a0ef35234ef297a10657b31971d9c4a2d97 Mon Sep 17 00:00:00 2001
From: Tracewebstudio Dev <dev@tracewebstudio.com>
Date: Thu, 30 Apr 2026 21:36:42 +0200
Subject: [PATCH] fix(ci): add preflight token check and static secret usage

---
 .github/workflows/sync-to-gitea.yml | 35 ++++++++++++++---------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/sync-to-gitea.yml b/.github/workflows/sync-to-gitea.yml
index e3d0cba..f11fc99 100644
--- a/.github/workflows/sync-to-gitea.yml
+++ b/.github/workflows/sync-to-gitea.yml
@@ -16,41 +16,40 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Preflight token check
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: |
+          set -euo pipefail
+          echo "actor=${GITHUB_ACTOR} repo=${GITHUB_REPOSITORY} ref=${GITHUB_REF_NAME}"
+          test -n "${GITEA_TOKEN:-}" || (echo "GITEA_TOKEN is empty" && exit 1)
+          echo "token_len=${#GITEA_TOKEN}"
+          curl -fsS -H "Authorization: token ${GITEA_TOKEN}" https://ci.nxtgauge.com/api/v1/user >/dev/null
+
       - name: Sync to Gitea
         env:
-          GITEA_TOKEN_PRIMARY: ${{ secrets.GITEA_TOKEN }}
-          GITEA_TOKEN_FALLBACK: ${{ secrets.GITEA_SECRET }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
           GITEA_USERNAME: ${{ secrets.GITEA_USERNAME }}
           REPO: ${{ github.event.repository.name }}
           BRANCH: ${{ github.ref_name }}
         run: |
           set -euo pipefail
 
-          GITEA_TOKEN="${GITEA_TOKEN_PRIMARY:-${GITEA_TOKEN_FALLBACK:-}}"
-          if [ -z "${GITEA_TOKEN}" ]; then
-            echo "Missing token secret: set GITEA_TOKEN (preferred) or GITEA_SECRET"
-            exit 1
-          fi
+          test -n "${GITEA_TOKEN:-}" || (echo "GITEA_TOKEN is empty" && exit 1)
+          test -n "${GITEA_USERNAME:-}" || (echo "GITEA_USERNAME is empty" && exit 1)
 
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-          GITEA_USER="$(curl -fsS -H "Authorization: token ${GITEA_TOKEN}" https://ci.nxtgauge.com/api/v1/user 2>/dev/null | jq -r '.login // empty' || true)"
-          if [ -z "$GITEA_USER" ]; then
-            GITEA_USER="${GITEA_USERNAME:-Admin}"
-          fi
-          TARGET="https://ci.nxtgauge.com/Admin/${REPO}.git"
-          AUTH="$(printf '%s' "${GITEA_USER}:${GITEA_TOKEN}" | base64 | tr -d '\n')"
-          AUTH_URL="https://${GITEA_USER}:${GITEA_TOKEN}@ci.nxtgauge.com/Admin/${REPO}.git"
+          TARGET_URL="https://${GITEA_USERNAME}:${GITEA_TOKEN}@ci.nxtgauge.com/Admin/${REPO}.git"
 
-          echo "Using Gitea user: ${GITEA_USER}"
+          echo "Using Gitea user: ${GITEA_USERNAME}"
           echo "Sync target: Admin/${REPO}.git"
 
-          curl -fsS -H "Authorization: Basic ${AUTH}" "${TARGET}/info/refs?service=git-receive-pack" >/dev/null
-          git ls-remote "${AUTH_URL}" >/dev/null
+          git ls-remote "${TARGET_URL}" >/dev/null
 
           git remote remove gitea 2>/dev/null || true
-          git remote add gitea "${AUTH_URL}"
+          git remote add gitea "${TARGET_URL}"
 
           git push gitea "HEAD:${BRANCH}" --force
           git push gitea --tags --force