From 1ca5bcbc6bfad1c1511936bb859ca65c13826f64 Mon Sep 17 00:00:00 2001 From: Latte Date: Sat, 27 Jun 2026 14:39:10 +0200 Subject: [PATCH] ci: reuse existing REGISTRY_TOKEN secret for package publish The repo already has a write:package REGISTRY_TOKEN secret (used by docker.yml). Reuse it for uv publish instead of requiring new GITEA_PACKAGE_* secrets: authenticate as GITHUB_ACTOR with the token as password. Update packaging docs. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/publish.yml | 24 +++++++++++++----------- docs/packaging.md | 11 ++++++----- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/.gitea/workflows/publish.yml b/.gitea/workflows/publish.yml index f5a482c..de98be7 100644 --- a/.gitea/workflows/publish.yml +++ b/.gitea/workflows/publish.yml @@ -2,8 +2,9 @@ name: publish # Build the Python package with uv and publish it to the self-hosted Gitea PyPI # registry on a version tag. Gated on lint + tests so a release can never ship -# red. Publishing uses least-privilege Gitea Actions secrets; if they are absent -# the job fails loudly instead of publishing anonymously. +# red. Publishing reuses the existing REGISTRY_TOKEN package secret (the same one +# docker.yml uses to push images); if it is absent the job fails loudly instead +# of publishing anonymously. on: push: tags: @@ -73,12 +74,11 @@ jobs: - name: Require publish credentials shell: bash env: - GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }} - GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }} + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | - if [ -z "${GITEA_PACKAGE_USER}" ] || [ -z "${GITEA_PACKAGE_TOKEN}" ]; then - echo "::error::GITEA_PACKAGE_USER / GITEA_PACKAGE_TOKEN secrets are not set." >&2 - echo "Configure a least-privilege PAT with write:package as Actions secrets." >&2 + if [ -z "${REGISTRY_TOKEN}" ]; then + echo "::error::REGISTRY_TOKEN secret is not set." >&2 + echo "Configure a PAT with write:package as the REGISTRY_TOKEN Actions secret." >&2 exit 1 fi @@ -95,13 +95,15 @@ jobs: - name: Publish to Gitea PyPI registry shell: bash env: - GITEA_PACKAGE_USER: ${{ secrets.GITEA_PACKAGE_USER }} - GITEA_PACKAGE_TOKEN: ${{ secrets.GITEA_PACKAGE_TOKEN }} + # Reuse the existing package secret (same one docker.yml uses). The + # token authenticates as its owning Gitea user, so GITHUB_ACTOR is the + # username and the token is the password. + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | uv publish \ --publish-url https://git.hiddenden.cafe/api/packages/Hiddenden/pypi \ - --username "${GITEA_PACKAGE_USER}" \ - --password "${GITEA_PACKAGE_TOKEN}" + --username "${GITHUB_ACTOR}" \ + --password "${REGISTRY_TOKEN}" # Optional second step to also publish to public PyPI lives behind its own # secret. Intentionally left as a disabled stub — this pass does NOT push diff --git a/docs/packaging.md b/docs/packaging.md index 34fcba2..14f04da 100644 --- a/docs/packaging.md +++ b/docs/packaging.md @@ -66,15 +66,16 @@ first, builds with `uv`, and publishes to the Gitea PyPI registry. ### Required CI secrets -The publish job uses Gitea Actions secrets — never hardcode credentials: +The publish job reuses the **existing** `REGISTRY_TOKEN` Actions secret — the same +PAT (`write:package`) that `docker.yml` uses to push images — so no new secret is +needed. The token authenticates as its owning Gitea user, so `GITHUB_ACTOR` is the +username and the token is the password. | Secret | Purpose | |--------|---------| -| `GITEA_PACKAGE_USER` | Gitea username that owns the package | -| `GITEA_PACKAGE_TOKEN` | least-privilege PAT with `write:package` | +| `REGISTRY_TOKEN` | PAT with `write:package`; used for both image and package pushes | -If either secret is absent the job fails loudly rather than publishing -anonymously. +If the secret is absent the job fails loudly rather than publishing anonymously. > Publishing to public PyPI is intentionally **not** configured. A second, > separately-gated `uv publish` step would be required and is left as a -- 2.52.0