ci: reuse existing REGISTRY_TOKEN secret for package publish

The repo already has a write:package REGISTRY_TOKEN secret (used by docker.yml). Reuse it for uv publish instead of requiring new GITEA_PACKAGE_* secrets: authenticate as GITHUB_ACTOR with the token as password. Update packaging docs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 14:39:10 +02:00
parent 499bf98d92
commit c551b3cfc3
2 changed files with 19 additions and 16 deletions
@@ -2,8 +2,9 @@ name: publish

 # Build the Python package with uv and publish it to the self-hosted Gitea PyPI
 # registry on a version tag. Gated on lint + tests so a release can never ship
-# red. Publishing uses least-privilege Gitea Actions secrets; if they are absent
-# the job fails loudly instead of publishing anonymously.
+# red. Publishing reuses the existing REGISTRY_TOKEN package secret (the same one
+# docker.yml uses to push images); if it is absent the job fails loudly instead
+# of publishing anonymously.
 on:
  push:
    tags:
@@ -73,12 +74,11 @@ jobs:
      - name: Require publish credentials
        shell: bash
        env:
-          GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }}
-          GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
-          if [ -z "${GITEA_PACKAGE_USER}" ] || [ -z "${GITEA_PACKAGE_TOKEN}" ]; then
-            echo "::error::GITEA_PACKAGE_USER / GITEA_PACKAGE_TOKEN secrets are not set." >&2
-            echo "Configure a least-privilege PAT with write:package as Actions secrets." >&2
+          if [ -z "${REGISTRY_TOKEN}" ]; then
+            echo "::error::REGISTRY_TOKEN secret is not set." >&2
+            echo "Configure a PAT with write:package as the REGISTRY_TOKEN Actions secret." >&2
            exit 1
          fi

@@ -95,13 +95,15 @@ jobs:
      - name: Publish to Gitea PyPI registry
        shell: bash
        env:
-          GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }}
-          GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }}
+          # Reuse the existing package secret (same one docker.yml uses). The
+          # token authenticates as its owning Gitea user, so GITHUB_ACTOR is the
+          # username and the token is the password.
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          uv publish \
            --publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \
-            --username "${GITEA_PACKAGE_USER}" \
-            --password "${GITEA_PACKAGE_TOKEN}"
+            --username "${GITHUB_ACTOR}" \
+            --password "${REGISTRY_TOKEN}"

      # Optional second step to also publish to public PyPI lives behind its own
      # secret. Intentionally left as a disabled stub — this pass does NOT push
@@ -66,15 +66,16 @@ first, builds with `uv`, and publishes to the Gitea PyPI registry.

 ### Required CI secrets

-The publish job uses Gitea Actions secrets — never hardcode credentials:
+The publish job reuses the **existing** `REGISTRY_TOKEN` Actions secret — the same
+PAT (`write:package`) that `docker.yml` uses to push images — so no new secret is
+needed. The token authenticates as its owning Gitea user, so `GITHUB_ACTOR` is the
+username and the token is the password.

 | Secret | Purpose |
 |--------|---------|
-| `GITEA_PACKAGE_USER` | Gitea username that owns the package |
-| `GITEA_PACKAGE_TOKEN` | least-privilege PAT with `write:package` |
+| `REGISTRY_TOKEN` | PAT with `write:package`; used for both image and package pushes |

-If either secret is absent the job fails loudly rather than publishing
-anonymously.
+If the secret is absent the job fails loudly rather than publishing anonymously.

 > Publishing to public PyPI is intentionally **not** configured. A second,
 > separately-gated `uv publish` step would be required and is left as a