From 6eecf6e4ac764763a7b785701c274b2a21d682ef Mon Sep 17 00:00:00 2001
From: Andrew Noyes <andrew@weaselab.dev>
Date: Fri, 12 Jun 2026 11:15:51 -0400
Subject: [PATCH] Use a registry bot account for the container registry

Gitea's ephemeral Actions token is not accepted by the container
registry, so docker login and image pulls use REGISTRY_USER /
REGISTRY_TOKEN secrets (a dedicated low-privilege account and its
personal access token with package read/write scope) instead.
---
 .gitea/workflows/ci.yml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 53b0a30..49db030 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -17,7 +17,9 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Log in to registry
-        run: docker login -u ${{ gitea.actor }} -p ${{ secrets.GITHUB_TOKEN }} git.weaselab.dev
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" \
+            | docker login -u "${{ secrets.REGISTRY_USER }}" --password-stdin git.weaselab.dev
 
       - name: Build and push image if changed
         run: |
@@ -44,8 +46,8 @@ jobs:
     container:
       image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
       credentials:
-        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
@@ -75,8 +77,8 @@ jobs:
     container:
       image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
       credentials:
-        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
@@ -127,8 +129,8 @@ jobs:
     container:
       image: git.weaselab.dev/weaselab/conflict-set-ci:latest-${{ matrix.arch }}
       credentials:
-        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
@@ -188,8 +190,8 @@ jobs:
     container:
       image: git.weaselab.dev/weaselab/conflict-set-ci:latest-amd64
       credentials:
-        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.REGISTRY_USER }}
+        password: ${{ secrets.REGISTRY_TOKEN }}
     steps:
       - uses: actions/checkout@v4