From e4578593d14b0dc5a1f504d3820f7473784517c4 Mon Sep 17 00:00:00 2001 From: Bryan Van Deusen Date: Sun, 10 May 2026 21:33:10 -0400 Subject: [PATCH] ci: unify REGISTRY_TOKEN + RELEASE_TOKEN into a single CI_TOKEN secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both prior secrets did related work (one for registry push, one for release asset I/O) and required separate Forgejo PATs to manage. Replacing with a single CI_TOKEN keyed off a single PAT with the union of scopes (write:repository + write:package). - flutter.yml: APK attach step → CI_TOKEN - release.yml: docker login → CI_TOKEN; APK fetch step → CI_TOKEN No behavior change — same calls, single secret name. Operator needs to set CI_TOKEN in repo settings (Actions → Secrets) with a PAT that has write:repository + write:package; the prior REGISTRY_TOKEN / RELEASE_TOKEN secrets can be removed. Co-Authored-By: Claude Opus 4.7 (1M context) --- .forgejo/workflows/flutter.yml | 11 ++++++----- .forgejo/workflows/release.yml | 6 +++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.forgejo/workflows/flutter.yml b/.forgejo/workflows/flutter.yml index 960af0cd..c9b1eff8 100644 --- a/.forgejo/workflows/flutter.yml +++ b/.forgejo/workflows/flutter.yml @@ -87,14 +87,15 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') shell: bash env: - RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} + CI_TOKEN: ${{ secrets.CI_TOKEN }} run: | TAG="${GITHUB_REF#refs/tags/}" REPO="${GITHUB_REPOSITORY}" - # Look up the release ID for this tag (release must exist already; - # release.yml creates it as part of the server-side release flow). + # Look up the release ID for this tag. The release object must + # exist already — operator creates it (or release.yml will, in + # a future enhancement) before pushing the tag. RELEASE_ID=$(curl -fsSL \ - -H "Authorization: token ${RELEASE_TOKEN}" \ + -H "Authorization: token ${CI_TOKEN}" \ "https://git.fabledsword.com/api/v1/repos/${REPO}/releases/tags/${TAG}" \ | grep -oP '"id":\s*\K[0-9]+' | head -1) if [ -z "${RELEASE_ID}" ]; then @@ -102,6 +103,6 @@ jobs: exit 1 fi curl -fsSL \ - -H "Authorization: token ${RELEASE_TOKEN}" \ + -H "Authorization: token ${CI_TOKEN}" \ -F "attachment=@build/app/outputs/flutter-apk/app-release.apk" \ "https://git.fabledsword.com/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=minstrel-${TAG}.apk" diff --git a/.forgejo/workflows/release.yml b/.forgejo/workflows/release.yml index d7da91b8..d5902ea0 100644 --- a/.forgejo/workflows/release.yml +++ b/.forgejo/workflows/release.yml @@ -60,7 +60,7 @@ jobs: if: steps.guard.outputs.ready == 'true' shell: bash run: | - echo "${{ secrets.REGISTRY_TOKEN }}" \ + echo "${{ secrets.CI_TOKEN }}" \ | docker login git.fabledsword.com -u "${{ github.actor }}" --password-stdin # In-app update flow (#397): on tag pushes only, fetch the APK @@ -72,14 +72,14 @@ jobs: if: steps.guard.outputs.ready == 'true' && startsWith(github.ref, 'refs/tags/v') shell: bash env: - RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} + CI_TOKEN: ${{ secrets.CI_TOKEN }} run: | TAG="${GITHUB_REF#refs/tags/}" REPO="${GITHUB_REPOSITORY}" APK_URL="https://git.fabledsword.com/${REPO}/releases/download/${TAG}/minstrel-${TAG}.apk" echo "Polling ${APK_URL} (up to 15 min for flutter.yml to attach)..." for i in $(seq 1 30); do - if curl -fsSL -H "Authorization: token ${RELEASE_TOKEN}" \ + if curl -fsSL -H "Authorization: token ${CI_TOKEN}" \ -o client/minstrel.apk "$APK_URL"; then echo "Got APK on attempt $i" echo "${TAG}" > client/minstrel.apk.version