diff --git a/.github/workflows/build-linux-amd64.yml b/.github/workflows/build-linux-amd64.yml index d84a2cf..0d03b66 100644 --- a/.github/workflows/build-linux-amd64.yml +++ b/.github/workflows/build-linux-amd64.yml @@ -52,10 +52,11 @@ jobs: apt-get update apt-get install -y --no-install-recommends \ build-essential cmake ninja-build python3 python3-venv pkg-config \ - libssl-dev curl git ca-certificates jq + libssl-dev curl git ca-certificates - name: Preflight Gitea upload (fast-fail) env: GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }} + ACTOR: ${{ github.actor }} run: | set -euo pipefail : "${GITEA_TOKEN:?GITEA_TOKEN secret is required}" @@ -76,62 +77,21 @@ jobs: server="$normalized_server" fi url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1" - mask() { local s="$1"; local n=${#s}; if [ "$n" -le 8 ]; then printf "*** (len=%s)" "$n"; else printf "%s***%s (len=%s)" "${s:0:4}" "${s:n-4:4}" "$n"; fi; } - echo "Preflight variables:" - echo " server=$server" - echo " owner=$owner" - echo " package=$pkg" - echo " version=$version" - echo " url=$url" - echo " token=$(mask "$GITEA_TOKEN")" - echo "Validating token via /api/v1/user:" - curl -sS -L -o /dev/null -w " auth check -> HTTP %{http_code}\n" \ - -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || true - whoami_json=$(curl -sS -L -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || echo "") - auth_user=$(echo "$whoami_json" | jq -r '.login // empty') - if [ -z "$auth_user" ]; then auth_user="$owner"; fi - echo " auth user=$auth_user" - echo "Attempting preflight upload" - tmpdir_pf="$(mktemp -d)" - resp_headers_pf="$tmpdir_pf/headers.txt" - resp_body_pf="$tmpdir_pf/body.txt" - http_code=$(curl -sS -L -i -X PUT \ - -H "Authorization: token ${GITEA_TOKEN}" \ + auth_user="${ACTOR:-$owner}" + echo "Preflight: server=$server owner=$owner package=$pkg version=$version" + # Perform preflight upload using Basic auth directly + if curl -fS -L -X PUT \ + -u "$auth_user:${GITEA_TOKEN}" \ -H "Content-Type: application/octet-stream" \ - --upload-file "$tmpfile" "$url" \ - -D "$resp_headers_pf" -o "$resp_body_pf" -w "%{http_code}" || true) - echo "Preflight response HTTP code: $http_code" - echo "Preflight response headers:"; sed -n '1,200p' "$resp_headers_pf" | sed 's/\r$//' || true - if [ -s "$resp_body_pf" ]; then - echo "Preflight response body (first 200 bytes):"; head -c 200 "$resp_body_pf"; echo + --upload-file "$tmpfile" "$url" >/dev/null; then + echo "Preflight upload succeeded, cleaning up" + else + echo "Preflight upload failed" >&2 + exit 1 fi - case "$http_code" in - 401|301|302|303|307|308) - echo "Preflight got $http_code; retrying with HTTP Basic auth (owner:token)" ;; - *) ;; - esac - if [ "$http_code" = "401" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then - http_code=$(curl -sS -L -i -X PUT \ - -u "$auth_user:${GITEA_TOKEN}" \ - -H "Content-Type: application/octet-stream" \ - --upload-file "$tmpfile" "$url" \ - -D "$resp_headers_pf" -o "$resp_body_pf" -w "%{http_code}" || true) - echo "Preflight retry HTTP code: $http_code" - echo "Preflight retry response headers:"; sed -n '1,200p' "$resp_headers_pf" | sed 's/\r$//' || true - if [ -s "$resp_body_pf" ]; then - echo "Preflight retry body (first 200 bytes):"; head -c 200 "$resp_body_pf"; echo - fi - fi - case "$http_code" in - 2*) echo "Preflight upload succeeded, cleaning up" ;; - *) echo "Preflight upload failed with HTTP $http_code" >&2; exit 1 ;; - esac # Cleanup the uploaded dummy package version (best effort) curl -sS -L -o /dev/null -w " delete -> HTTP %{http_code}\n" \ - -H "Authorization: token ${GITEA_TOKEN}" -X DELETE \ - "$server/api/packages/$owner/generic/$pkg/$version" || \ - curl -sS -L -o /dev/null -w " delete (basic) -> HTTP %{http_code}\n" \ - -u "$owner:${GITEA_TOKEN}" -X DELETE \ + -u "$auth_user:${GITEA_TOKEN}" -X DELETE \ "$server/api/packages/$owner/generic/$pkg/$version" || true - name: Initialize submodules run: | @@ -177,6 +137,7 @@ jobs: - name: Upload to Gitea Packages (generic) env: GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }} + ACTOR: ${{ github.actor }} run: | set -euo pipefail : "${GITEA_TOKEN:?GITEA_TOKEN secret is required}" @@ -214,69 +175,17 @@ jobs: if [ -n "$normalized_server" ]; then server="$normalized_server" fi - # Determine authenticated username for Basic auth fallback - whoami_json=$(curl -sS -L -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || echo "") - auth_user=$(echo "$whoami_json" | jq -r '.login // empty') - if [ -z "$auth_user" ]; then auth_user="$owner"; fi + # Use the GitHub actor as basic auth username by default + auth_user="${ACTOR:-$owner}" name="$(basename "$file")" url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1" - # Debug helpers (avoid leaking secrets) - mask() { local s="$1"; local n=${#s}; if [ "$n" -le 8 ]; then printf "*** (len=%s)" "$n"; else printf "%s***%s (len=%s)" "${s:0:4}" "${s:n-4:4}" "$n"; fi; } - filesize=$(stat -c%s "$file" 2>/dev/null || echo "?") - host="$(echo "$server" | sed -E 's#^https?://([^/]+).*#\1#')" - echo "Derived variables:" - echo " server=$server" - echo " owner=$owner" - echo " package=$pkg" - echo " version=$version" - echo " artifact=$file (size=${filesize} bytes, name=$name)" - echo " url=$url" - echo " token=$(mask "$GITEA_TOKEN")" - echo "Curl version:"; curl --version | head -n 1 - echo "DNS for $host:"; getent hosts "$host" || true - - echo "Checking API reachability (no auth):" - curl -sS -L -o /dev/null -w " /api/v1/version -> HTTP %{http_code}\n" "$server/api/v1/version" || true - - echo "Validating token via /api/v1/user:" - curl -sS -L -o /dev/null -w " auth check -> HTTP %{http_code}\n" \ - -H "Authorization: token ${GITEA_TOKEN}" "$server/api/v1/user" || true + echo "Uploading $file to $url" echo " auth user=$auth_user" - echo "Uploading $file to $url" - # Perform upload and capture response details without exposing token - tmpdir="$(mktemp -d)" - resp_headers="$tmpdir/headers.txt" - resp_body="$tmpdir/body.txt" - http_code=$(curl -sS -L -i -X PUT \ - -H "Authorization: token ${GITEA_TOKEN}" \ + # Use Basic auth directly (works with package registry) + curl -fS -L -X PUT \ + -u "$auth_user:${GITEA_TOKEN}" \ -H "Content-Type: application/octet-stream" \ --retry 2 --retry-delay 2 --max-time 300 \ - --upload-file "$file" "$url" \ - -D "$resp_headers" -o "$resp_body" -w "%{http_code}" || true) - echo "Response HTTP code: $http_code" - echo "Response headers:"; sed -n '1,200p' "$resp_headers" | sed 's/\r$//' || true - if [ -s "$resp_body" ]; then - echo "Response body (first 200 bytes):"; head -c 200 "$resp_body"; echo - fi - - # If unauthorized or redirected, retry once using HTTP Basic auth (per Gitea docs) - if [ "$http_code" = "401" ] || [ "$http_code" = "403" ] || [ "$http_code" = "301" ] || [ "$http_code" = "302" ] || [ "$http_code" = "303" ] || [ "$http_code" = "307" ] || [ "$http_code" = "308" ]; then - echo "HTTP $http_code; retrying with HTTP Basic auth (auth_user:token)" - http_code=$(curl -sS -L -i -X PUT \ - -u "$auth_user:${GITEA_TOKEN}" \ - -H "Content-Type: application/octet-stream" \ - --retry 2 --retry-delay 2 --max-time 300 \ - --upload-file "$file" "$url" \ - -D "$resp_headers" -o "$resp_body" -w "%{http_code}" || true) - echo "Retry HTTP code: $http_code" - echo "Retry response headers:"; sed -n '1,200p' "$resp_headers" | sed 's/\r$//' || true - if [ -s "$resp_body" ]; then - echo "Retry response body (first 200 bytes):"; head -c 200 "$resp_body"; echo - fi - fi - - case "$http_code" in - 2*) echo "Upload complete." ;; - *) echo "Upload failed with HTTP $http_code" >&2; exit 1 ;; - esac \ No newline at end of file + --upload-file "$file" "$url" + echo "Upload complete." \ No newline at end of file