From 8c70640bfd8ef428c4765fbda53528d317cbcc3e Mon Sep 17 00:00:00 2001
From: root <dev@okcuu.ru>
Date: Fri, 1 May 2026 02:38:25 +0300
Subject: [PATCH] workflows: clone without auth (public repo, no basic-auth
 needed)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both 'forgejo-runner:$TOKEN' and 'x-access-token:$TOKEN' formulas
are rejected by Gitea's act_runner with HTTP 401:
  remote: Failed to authenticate user
  fatal: Authentication failed

For public repos the simplest fix is: don't send credentials at all.
Plain https://host/owner/repo.git clones unauthenticated and Gitea
serves it (root/drover-go is public).

If/when we move to private repos this'll need a different approach
(GITEA_TOKEN env, oauth2 username, or .netrc) — but that's a future
problem.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build.yml   | 12 ++++++++++--
 .gitea/workflows/release.yml |  3 ++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 20edc18..69932d2 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -29,7 +29,11 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          # Public repo — clone without auth. Both Gitea and Forgejo
+          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
+          # formulas; for an unauthenticated read on public repos plain
+          # https works on every server.
+          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Vet
@@ -48,7 +52,11 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          # Public repo — clone without auth. Both Gitea and Forgejo
+          # rejected hardcoded "forgejo-runner"/"x-access-token" basic-auth
+          # formulas; for an unauthenticated read on public repos plain
+          # https works on every server.
+          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .
       - name: Cross-compile drover.exe (windows/amd64)
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index f77e6c8..e335308 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -18,7 +18,8 @@ jobs:
     steps:
       - name: Checkout
         run: |
-          git clone --no-checkout "https://x-access-token:${GITHUB_TOKEN}@git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
+          # Public repo — clone without auth (see build.yml for rationale).
+          git clone --no-checkout "https://git.okcu.io/${GITHUB_REPOSITORY}.git" /tmp/src
           git -C /tmp/src checkout "$GITHUB_SHA"
           cp -a /tmp/src/. .