fix(ci): add preflight token check and static secret usage

2026-04-30 21:36:42 +02:00 · 2026-04-30 21:36:42 +02:00 · fb817595e0
commit fb817595e0
parent 1d06760aba
1 changed files with 17 additions and 18 deletions
--- a/.github/workflows/sync-to-gitea.yml
+++ b/.github/workflows/sync-to-gitea.yml
@ -16,41 +16,40 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Preflight token check
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: |
+          set -euo pipefail
+          echo "actor=${GITHUB_ACTOR} repo=${GITHUB_REPOSITORY} ref=${GITHUB_REF_NAME}"
+          test -n "${GITEA_TOKEN:-}" || (echo "GITEA_TOKEN is empty" && exit 1)
+          echo "token_len=${#GITEA_TOKEN}"
+          curl -fsS -H "Authorization: token ${GITEA_TOKEN}" https://ci.nxtgauge.com/api/v1/user >/dev/null
+
      - name: Sync to Gitea
        env:
-          GITEA_TOKEN_PRIMARY: ${{ secrets.GITEA_TOKEN }}
-          GITEA_TOKEN_FALLBACK: ${{ secrets.GITEA_SECRET }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          GITEA_USERNAME: ${{ secrets.GITEA_USERNAME }}
          REPO: ${{ github.event.repository.name }}
          BRANCH: ${{ github.ref_name }}
        run: |
          set -euo pipefail

-          GITEA_TOKEN="${GITEA_TOKEN_PRIMARY:-${GITEA_TOKEN_FALLBACK:-}}"
-          if [ -z "${GITEA_TOKEN}" ]; then
-            echo "Missing token secret: set GITEA_TOKEN (preferred) or GITEA_SECRET"
-            exit 1
-          fi
+          test -n "${GITEA_TOKEN:-}" || (echo "GITEA_TOKEN is empty" && exit 1)
+          test -n "${GITEA_USERNAME:-}" || (echo "GITEA_USERNAME is empty" && exit 1)

          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

-          GITEA_USER="$(curl -fsS -H "Authorization: token ${GITEA_TOKEN}" https://ci.nxtgauge.com/api/v1/user 2>/dev/null | jq -r '.login // empty' || true)"
-          if [ -z "$GITEA_USER" ]; then
-            GITEA_USER="${GITEA_USERNAME:-Admin}"
-          fi
-          TARGET="https://ci.nxtgauge.com/Admin/${REPO}.git"
-          AUTH="$(printf '%s' "${GITEA_USER}:${GITEA_TOKEN}" | base64 | tr -d '\n')"
-          AUTH_URL="https://${GITEA_USER}:${GITEA_TOKEN}@ci.nxtgauge.com/Admin/${REPO}.git"
+          TARGET_URL="https://${GITEA_USERNAME}:${GITEA_TOKEN}@ci.nxtgauge.com/Admin/${REPO}.git"

-          echo "Using Gitea user: ${GITEA_USER}"
+          echo "Using Gitea user: ${GITEA_USERNAME}"
          echo "Sync target: Admin/${REPO}.git"

-          curl -fsS -H "Authorization: Basic ${AUTH}" "${TARGET}/info/refs?service=git-receive-pack" >/dev/null
-          git ls-remote "${AUTH_URL}" >/dev/null
+          git ls-remote "${TARGET_URL}" >/dev/null

          git remote remove gitea 2>/dev/null || true
-          git remote add gitea "${AUTH_URL}"
+          git remote add gitea "${TARGET_URL}"

          git push gitea "HEAD:${BRANCH}" --force
          git push gitea --tags --force