From 63c713dab0645cec0795cf95dc9821fe2a2b9f31 Mon Sep 17 00:00:00 2001
From: Eric Liu <eric@ericxliu.me>
Date: Sat, 13 Sep 2025 17:15:49 +0000
Subject: [PATCH] Enhance GitHub Actions workflow for Gitea Packages by adding
 jq to dependencies, improving server URL normalization, and refining error
 handling for preflight uploads with support for HTTP redirects.

---
 .github/workflows/build-linux-amd64.yml | 58 +++++++++++++++++--------
 1 file changed, 41 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build-linux-amd64.yml b/.github/workflows/build-linux-amd64.yml
index 4d06cca..f79fc01 100644
--- a/.github/workflows/build-linux-amd64.yml
+++ b/.github/workflows/build-linux-amd64.yml
@@ -52,7 +52,7 @@ jobs:
           apt-get update
           apt-get install -y --no-install-recommends \
             build-essential cmake ninja-build python3 python3-venv pkg-config \
-            libssl-dev curl git ca-certificates
+            libssl-dev curl git ca-certificates jq
       - name: Preflight Gitea upload (fast-fail)
         env:
           GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
@@ -67,6 +67,14 @@ jobs:
           name="check.bin"
           tmpfile="$(mktemp)"
           printf "auth check %s\n" "$(date -u +%FT%TZ)" > "$tmpfile"
+          # Normalize server to effective scheme+host (handles http->https redirects)
+          base_no_trail="$(echo "$server" | sed 's#/*$##')"
+          # Use GET (not HEAD) to avoid servers that don't support HEAD on this endpoint
+          effective_version_url=$(curl -sS -L -o /dev/null -w '%{url_effective}' "$base_no_trail/api/v1/version" || echo "")
+          normalized_server=$(echo "$effective_version_url" | sed -E 's#^(https?://[^/]+).*$#\1#')
+          if [ -n "$normalized_server" ]; then
+            server="$normalized_server"
+          fi
           url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1"
           mask() { local s="$1"; local n=${#s}; if [ "$n" -le 8 ]; then printf "*** (len=%s)" "$n"; else printf "%s***%s (len=%s)" "${s:0:4}" "${s:n-4:4}" "$n"; fi; }
           echo "Preflight variables:"
@@ -77,32 +85,48 @@ jobs:
           echo "  url=$url"
           echo "  token=$(mask "$GITEA_TOKEN")"
           echo "Validating token via /api/v1/user:"
-          curl -sS -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
+          curl -sS -L -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
             -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || true
           echo "Attempting preflight upload"
-          http_code=$(curl -sS -i -X PUT \
+          tmpdir_pf="$(mktemp -d)"
+          resp_headers_pf="$tmpdir_pf/headers.txt"
+          resp_body_pf="$tmpdir_pf/body.txt"
+          http_code=$(curl -sS -L -i -X PUT \
             -H "Authorization: token ${GITEA_TOKEN}" \
             -H "Content-Type: application/octet-stream" \
             --upload-file "$tmpfile" "$url" \
-            -o /dev/null -w "%{http_code}" || true)
-          if [ "$http_code" = "401" ]; then
-            echo "401 Unauthorized with token header; retrying with HTTP Basic auth (owner:token)"
-            http_code=$(curl -sS -i -X PUT \
+            -D "$resp_headers_pf" -o "$resp_body_pf" -w "%{http_code}" || true)
+          echo "Preflight response HTTP code: $http_code"
+          echo "Preflight response headers:"; sed -n '1,200p' "$resp_headers_pf" | sed 's/\r$//' || true
+          if [ -s "$resp_body_pf" ]; then
+            echo "Preflight response body (first 200 bytes):"; head -c 200 "$resp_body_pf"; echo
+          fi
+          case "$http_code" in
+            401|301|302|303|307|308)
+              echo "Preflight got $http_code; retrying with HTTP Basic auth (owner:token)" ;;
+            *) ;;
+          esac
+          if [ "$http_code" = "401" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then
+            http_code=$(curl -sS -L -i -X PUT \
               -u "$owner:${GITEA_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
               --upload-file "$tmpfile" "$url" \
-              -o /dev/null -w "%{http_code}" || true)
+              -D "$resp_headers_pf" -o "$resp_body_pf" -w "%{http_code}" || true)
+            echo "Preflight retry HTTP code: $http_code"
+            echo "Preflight retry response headers:"; sed -n '1,200p' "$resp_headers_pf" | sed 's/\r$//' || true
+            if [ -s "$resp_body_pf" ]; then
+              echo "Preflight retry body (first 200 bytes):"; head -c 200 "$resp_body_pf"; echo
+            fi
           fi
-          echo "Preflight HTTP $http_code"
           case "$http_code" in
             2*) echo "Preflight upload succeeded, cleaning up" ;;
             *) echo "Preflight upload failed with HTTP $http_code" >&2; exit 1 ;;
           esac
           # Cleanup the uploaded dummy package version (best effort)
-          curl -sS -o /dev/null -w "  delete -> HTTP %{http_code}\n" \
+          curl -sS -L -o /dev/null -w "  delete -> HTTP %{http_code}\n" \
             -H "Authorization: token ${GITEA_TOKEN}" -X DELETE \
             "$server/api/packages/$owner/generic/$pkg/$version" || \
-          curl -sS -o /dev/null -w "  delete (basic) -> HTTP %{http_code}\n" \
+          curl -sS -L -o /dev/null -w "  delete (basic) -> HTTP %{http_code}\n" \
             -u "$owner:${GITEA_TOKEN}" -X DELETE \
             "$server/api/packages/$owner/generic/$pkg/$version" || true
       - name: Initialize submodules
@@ -197,7 +221,7 @@ jobs:
           echo "DNS for $host:"; getent hosts "$host" || true
 
           echo "Checking API reachability (no auth):"
-          curl -sS -o /dev/null -w "  /api/v1/version -> HTTP %{http_code}\n" "$server/api/v1/version" || true
+          curl -sS -L -o /dev/null -w "  /api/v1/version -> HTTP %{http_code}\n" "$server/api/v1/version" || true
 
           echo "Validating token via /api/v1/user:"
           curl -sS -o /dev/null -w "  auth check -> HTTP %{http_code}\n" \
@@ -208,7 +232,7 @@ jobs:
           tmpdir="$(mktemp -d)"
           resp_headers="$tmpdir/headers.txt"
           resp_body="$tmpdir/body.txt"
-          http_code=$(curl -sS -i -X PUT \
+          http_code=$(curl -sS -L -i -X PUT \
             -H "Authorization: token ${GITEA_TOKEN}" \
             -H "Content-Type: application/octet-stream" \
             --retry 2 --retry-delay 2 --max-time 300 \
@@ -220,10 +244,10 @@ jobs:
             echo "Response body (first 200 bytes):"; head -c 200 "$resp_body"; echo
           fi
 
-          # If unauthorized, retry once using HTTP Basic auth (per Gitea docs)
-          if [ "$http_code" = "401" ]; then
-            echo "401 Unauthorized with token header; retrying with HTTP Basic auth (owner:token)"
-            http_code=$(curl -sS -i -X PUT \
+          # If unauthorized or redirected, retry once using HTTP Basic auth (per Gitea docs)
+          if [ "$http_code" = "401" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then
+            echo "HTTP $http_code; retrying with HTTP Basic auth (owner:token)"
+            http_code=$(curl -sS -L -i -X PUT \
               -u "$owner:${GITEA_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
               --retry 2 --retry-delay 2 --max-time 300 \