From 3481b914b1f91cc5cdac42ff33b9307d35cc04e0 Mon Sep 17 00:00:00 2001
From: Eric Liu <eric@ericxliu.me>
Date: Sat, 13 Sep 2025 17:20:04 +0000
Subject: [PATCH] Refactor GitHub Actions workflow for Gitea Packages: update
 to use RELEASE_TOKEN for authentication, enhance server URL normalization,
 and improve error handling for HTTP responses during uploads.

---
 .github/workflows/build-linux-amd64.yml | 28 +++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-linux-amd64.yml b/.github/workflows/build-linux-amd64.yml
index f79fc01..12d3805 100644
--- a/.github/workflows/build-linux-amd64.yml
+++ b/.github/workflows/build-linux-amd64.yml
@@ -55,7 +55,7 @@ jobs:
             libssl-dev curl git ca-certificates jq
       - name: Preflight Gitea upload (fast-fail)
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
           set -euo pipefail
           : "${GITEA_TOKEN:?GITEA_TOKEN secret is required}"
@@ -87,6 +87,10 @@ jobs:
           echo "Validating token via /api/v1/user:"
           curl -sS -L -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
             -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || true
+          whoami_json=$(curl -sS -L -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || echo "")
+          auth_user=$(echo "$whoami_json" | jq -r '.login // empty')
+          if [ -z "$auth_user" ]; then auth_user="$owner"; fi
+          echo "  auth user=$auth_user"
           echo "Attempting preflight upload"
           tmpdir_pf="$(mktemp -d)"
           resp_headers_pf="$tmpdir_pf/headers.txt"
@@ -108,7 +112,7 @@ jobs:
           esac
           if [ "$http_code" = "401" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then
             http_code=$(curl -sS -L -i -X PUT \
-              -u "$owner:${GITEA_TOKEN}" \
+              -u "$auth_user:${GITEA_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
               --upload-file "$tmpfile" "$url" \
               -D "$resp_headers_pf" -o "$resp_body_pf" -w "%{http_code}" || true)
@@ -203,6 +207,17 @@ jobs:
           [ -n "$pkg" ] || { echo "pkg not set" >&2; exit 1; }
           [ -n "$version" ] || { echo "version not set" >&2; exit 1; }
           [ -n "$file" ] || { echo "file not set" >&2; exit 1; }
+          # Normalize server using effective URL of /api/v1/version (handles http->https)
+          base_no_trail="$(echo "$server" | sed 's#/*$##')"
+          effective_version_url=$(curl -sS -L -o /dev/null -w '%{url_effective}' "$base_no_trail/api/v1/version" || echo "")
+          normalized_server=$(echo "$effective_version_url" | sed -E 's#^(https?://[^/]+).*$#\1#')
+          if [ -n "$normalized_server" ]; then
+            server="$normalized_server"
+          fi
+          # Determine authenticated username for Basic auth fallback
+          whoami_json=$(curl -sS -L -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || echo "")
+          auth_user=$(echo "$whoami_json" | jq -r '.login // empty')
+          if [ -z "$auth_user" ]; then auth_user="$owner"; fi
           name="$(basename "$file")"
           url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1"
           # Debug helpers (avoid leaking secrets)
@@ -224,8 +239,9 @@ jobs:
           curl -sS -L -o /dev/null -w "  /api/v1/version -> HTTP %{http_code}\n" "$server/api/v1/version" || true
 
           echo "Validating token via /api/v1/user:"
-          curl -sS -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
+          curl -sS -L -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
             -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || true
+          echo "  auth user=$auth_user"
 
           echo "Uploading $file to $url"
           # Perform upload and capture response details without exposing token
@@ -245,10 +261,10 @@ jobs:
           fi
 
           # If unauthorized or redirected, retry once using HTTP Basic auth (per Gitea docs)
-          if [ "$http_code" = "401" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then
-            echo "HTTP $http_code; retrying with HTTP Basic auth (owner:token)"
+          if [ "$http_code" = "401" ] || [ "$http_code" = "403" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then
+            echo "HTTP $http_code; retrying with HTTP Basic auth (auth_user:token)"
             http_code=$(curl -sS -L -i -X PUT \
-              -u "$owner:${GITEA_TOKEN}" \
+              -u "$auth_user:${GITEA_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
               --retry 2 --retry-delay 2 --max-time 300 \
               --upload-file "$file" "$url" \