ci: reuse existing REGISTRY_TOKEN secret for package publish
docker / test (pull_request) Successful in 34s
test / test (pull_request) Successful in 43s
docker / docker (pull_request) Successful in 39s
docker / test (push) Successful in 34s
docker / lint (push) Successful in 40s
test / test (push) Successful in 42s
lint / lint (push) Successful in 44s
docker / lint (pull_request) Successful in 44s
lint / lint (pull_request) Successful in 42s
docker / docker (push) Successful in 46s
docker / test (pull_request) Successful in 34s
test / test (pull_request) Successful in 43s
docker / docker (pull_request) Successful in 39s
docker / test (push) Successful in 34s
docker / lint (push) Successful in 40s
test / test (push) Successful in 42s
lint / lint (push) Successful in 44s
docker / lint (pull_request) Successful in 44s
lint / lint (pull_request) Successful in 42s
docker / docker (push) Successful in 46s
The repo already has a write:package REGISTRY_TOKEN secret (used by docker.yml). Reuse it for uv publish instead of requiring new GITEA_PACKAGE_* secrets: authenticate as GITHUB_ACTOR with the token as password. Update packaging docs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -2,8 +2,9 @@ name: publish
|
||||
|
||||
# Build the Python package with uv and publish it to the self-hosted Gitea PyPI
|
||||
# registry on a version tag. Gated on lint + tests so a release can never ship
|
||||
# red. Publishing uses least-privilege Gitea Actions secrets; if they are absent
|
||||
# the job fails loudly instead of publishing anonymously.
|
||||
# red. Publishing reuses the existing REGISTRY_TOKEN package secret (the same one
|
||||
# docker.yml uses to push images); if it is absent the job fails loudly instead
|
||||
# of publishing anonymously.
|
||||
on:
|
||||
push:
|
||||
tags:
|
||||
@@ -73,12 +74,11 @@ jobs:
|
||||
- name: Require publish credentials
|
||||
shell: bash
|
||||
env:
|
||||
GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }}
|
||||
GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }}
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
if [ -z "${GITEA_PACKAGE_USER}" ] || [ -z "${GITEA_PACKAGE_TOKEN}" ]; then
|
||||
echo "::error::GITEA_PACKAGE_USER / GITEA_PACKAGE_TOKEN secrets are not set." >&2
|
||||
echo "Configure a least-privilege PAT with write:package as Actions secrets." >&2
|
||||
if [ -z "${REGISTRY_TOKEN}" ]; then
|
||||
echo "::error::REGISTRY_TOKEN secret is not set." >&2
|
||||
echo "Configure a PAT with write:package as the REGISTRY_TOKEN Actions secret." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@@ -95,13 +95,15 @@ jobs:
|
||||
- name: Publish to Gitea PyPI registry
|
||||
shell: bash
|
||||
env:
|
||||
GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }}
|
||||
GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }}
|
||||
# Reuse the existing package secret (same one docker.yml uses). The
|
||||
# token authenticates as its owning Gitea user, so GITHUB_ACTOR is the
|
||||
# username and the token is the password.
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
uv publish \
|
||||
--publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \
|
||||
--username "${GITEA_PACKAGE_USER}" \
|
||||
--password "${GITEA_PACKAGE_TOKEN}"
|
||||
--username "${GITHUB_ACTOR}" \
|
||||
--password "${REGISTRY_TOKEN}"
|
||||
|
||||
# Optional second step to also publish to public PyPI lives behind its own
|
||||
# secret. Intentionally left as a disabled stub — this pass does NOT push
|
||||
|
||||
Reference in New Issue
Block a user