From 804e32a4189048d1df841bb780db20cfc5ee9cc8 Mon Sep 17 00:00:00 2001
From: root <dev@okcuu.ru>
Date: Fri, 1 May 2026 02:39:42 +0300
Subject: [PATCH] workflows: surface GITHUB_TOKEN via env, use it in clone URL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause of the earlier "Failed to authenticate" / "could not read
Username" failures: shell scripts in Gitea Actions don't automatically
inherit secrets — \${GITHUB_TOKEN} expanded to an empty string, so the
URL became "https://forgejo-runner:@..." (empty password) and Gitea's
auth layer rejected it.

Fix: explicit env: block on the Checkout step pulls the token in,
then the URL uses it via x-access-token (canonical token-as-password
username, accepted by Gitea, GitHub, Forgejo alike).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build.yml   | 20 ++++++++++----------
 .gitea/workflows/release.yml |  5 +++--
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 69932d2..7274ee2 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -28,12 +28,12 @@ jobs:
     runs-on: go
     steps:
       - name: Checkout
+        env:
+          # Gitea Actions doesn't auto-export GITHUB_TOKEN to the shell;
+          # we have to read it from secrets and surface it explicitly.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth. Both Gitea and Forgejo
-          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
-          # formulas; for an unauthenticated read on public repos plain
-          # https works on every server.
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Vet
@@ -51,12 +51,12 @@ jobs:
     needs: test
     steps:
       - name: Checkout
+        env:
+          # Gitea Actions doesn't auto-export GITHUB_TOKEN to the shell;
+          # we have to read it from secrets and surface it explicitly.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth. Both Gitea and Forgejo
-          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
-          # formulas; for an unauthenticated read on public repos plain
-          # https works on every server.
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Cross-compile drover.exe (windows/amd64)
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index e335308..ad66a2c 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -17,9 +17,10 @@ jobs:
     runs-on: go
     steps:
       - name: Checkout
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          # Public repo — clone without auth (see build.yml for rationale).
-          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .