From 13e9e88e0ef237494fc61436b9465af57e9c1a0b Mon Sep 17 00:00:00 2001
From: Andrew Noyes <andrew@weaselab.dev>
Date: Fri, 12 Jun 2026 12:21:19 -0400
Subject: [PATCH] Pass registry credentials via env instead of script
 interpolation

Template interpolation embeds the secret in the generated script file;
env indirection keeps it out of argv and off disk.
---
 .gitea/workflows/ci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 03ef8a1..5f223b6 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -17,9 +17,12 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Log in to registry
+        env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
         run: |
-          echo "${{ secrets.REGISTRY_TOKEN }}" \
-            | docker login -u "${{ secrets.REGISTRY_USER }}" --password-stdin git.weaselab.dev
+          echo "$REGISTRY_TOKEN" \
+            | docker login -u "$REGISTRY_USER" --password-stdin git.weaselab.dev
 
       - name: Build and push image if changed
         run: |