fix(ci): require explicit registry credentials

.gitea/workflows/release.yml

@@ -17,10 +17,10 @@ jobs:
       GITEA_SERVER_URL: ${{ gitea.server_url }}
       GITEA_REPOSITORY: ${{ gitea.repository }}
       GITEA_SHA: ${{ gitea.sha }}
-      GITEA_ACTOR: ${{ gitea.actor }}
       GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
       GITEA_REGISTRY: ${{ secrets.GITEA_REGISTRY }}
       GITEA_REGISTRY_USERNAME: ${{ secrets.GITEA_REGISTRY_USERNAME }}
+      GITEA_REGISTRY_TOKEN: ${{ secrets.GITEA_REGISTRY_TOKEN }}
       GITEA_PACKAGE_NAMESPACE: ${{ secrets.GITEA_PACKAGE_NAMESPACE }}
 
     steps:
@@ -52,7 +52,8 @@ jobs:
 
           registry_username="${GITEA_REGISTRY_USERNAME}"
           if [ -z "$registry_username" ]; then
-            registry_username="${GITEA_ACTOR}"
+            echo "The repository secret GITEA_REGISTRY_USERNAME is required for container registry login."
+            exit 1
           fi
 
           image_ref="${registry_host}/${package_namespace}/${app_name}"
@@ -71,10 +72,22 @@ jobs:
           set -euo pipefail
 
           if [ -z "$GITEA_TOKEN" ]; then
-            echo "The repository secret GITEA_TOKEN is required to publish releases and packages."
+            echo "The repository secret GITEA_TOKEN is required to publish releases."
             exit 1
           fi
 
+          registry_token="${GITEA_REGISTRY_TOKEN}"
+          if [ -z "$registry_token" ]; then
+            registry_token="${GITEA_TOKEN}"
+          fi
+
+          if [ -z "$GITEA_REGISTRY_USERNAME" ]; then
+            echo "The repository secret GITEA_REGISTRY_USERNAME is required to publish container packages."
+            exit 1
+          fi
+
+          echo "REGISTRY_TOKEN=${registry_token}" >> "$GITHUB_ENV"
+
       - name: Install release dependencies
         shell: bash
         run: |
@@ -86,7 +99,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          printf '%s' "$GITEA_TOKEN" | docker login "$REGISTRY_HOST" --username "$REGISTRY_USERNAME" --password-stdin
+          printf '%s' "$REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" --username "$REGISTRY_USERNAME" --password-stdin
 
       - name: Build container image
         shell: bash

README.md

@@ -93,7 +93,9 @@ MAINTAINARR_REFRESH_CRON=@every 5s
 - Optional secret: `GITEA_REGISTRY`
   Defaults to the host from `gitea.server_url`
 - Optional secret: `GITEA_REGISTRY_USERNAME`
-  Defaults to `gitea.actor`
+  Required for container registry login
+- Optional secret: `GITEA_REGISTRY_TOKEN`
+  Defaults to `GITEA_TOKEN`
 - Optional secret: `GITEA_PACKAGE_NAMESPACE`
   Defaults to the repository owner from `gitea.repository`