Refactor GitHub Actions workflow for Gitea Packages: streamline preflight upload process, enhance authentication handling using GitHub actor, and remove redundant debug outputs for improved clarity.

.github/workflows/build-linux-amd64.yml

@@ -6,6 +6,8 @@ on:
         description: Package version (defaults to tag name or short SHA)
         required: false
   push:
+    branches:
+      - main
     tags:
       - 'v*'
 
@@ -16,6 +18,33 @@ jobs:
       EXTENSION_NAME: ui
       DUCKDB_PLATFORM: linux_amd64
     steps:
+      - name: Checkout repository (manual)
+        env:
+          TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -d .git ]; then
+            echo "Repository already present"
+          else
+            server="${GITHUB_SERVER_URL:-${{ github.server_url }}}"
+            repo_full="${GITHUB_REPOSITORY:-${{ github.repository }}}"
+            sha="${GITHUB_SHA:-${{ github.sha }}}"
+            host="$(echo "$server" | sed -E 's#^https?://([^/]+).*#\1#')"
+            if [ -n "${TOKEN:-}" ]; then
+              umask 077
+              printf "machine %s\n  login token\n  password %s\n" "$host" "$TOKEN" > "$HOME/.netrc"
+            fi
+            git init .
+            git config --global --add safe.directory "$(pwd)"
+            git remote add origin "$server/$repo_full.git"
+            git -c http.https://$host/.extraheader="" fetch --depth=1 origin "$sha"
+            git checkout -q FETCH_HEAD
+          fi
+
+      - name: Show workspace status
+        run: |
+          set -e
+          git --no-pager status | cat
       - name: Install build dependencies
         run: |
           set -e
@@ -24,9 +53,139 @@ jobs:
           apt-get install -y --no-install-recommends \
             build-essential cmake ninja-build python3 python3-venv pkg-config \
             libssl-dev curl git ca-certificates
-# ... submodule init, build release, find artifact ...
+      - name: Preflight Gitea upload (fast-fail)
+        env:
+          GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          ACTOR: ${{ github.actor }}
+        run: |
+          set -euo pipefail
+          : "${GITEA_TOKEN:?GITEA_TOKEN secret is required}"
+          server="${GITHUB_SERVER_URL:-${{ github.server_url }}}"
+          owner="${GITHUB_REPOSITORY_OWNER:-${{ github.repository_owner }}}"
+          repo_full="${GITHUB_REPOSITORY:-${{ github.repository }}}"
+          pkg="${repo_full##*/}-preflight"
+          version="preflight-${GITHUB_RUN_ID:-0}-${GITHUB_RUN_ATTEMPT:-0}-$(date +%s)"
+          name="check.bin"
+          tmpfile="$(mktemp)"
+          printf "auth check %s\n" "$(date -u +%FT%TZ)" > "$tmpfile"
+          # Normalize server to effective scheme+host (handles http->https redirects)
+          base_no_trail="$(echo "$server" | sed 's#/*$##')"
+          # Use GET (not HEAD) to avoid servers that don't support HEAD on this endpoint
+          effective_version_url=$(curl -sS -L -o /dev/null -w '%{url_effective}' "$base_no_trail/api/v1/version" || echo "")
+          normalized_server=$(echo "$effective_version_url" | sed -E 's#^(https?://[^/]+).*$#\1#')
+          if [ -n "$normalized_server" ]; then
+            server="$normalized_server"
+          fi
+          url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1"
+          auth_user="${ACTOR:-$owner}"
+          echo "Preflight: server=$server owner=$owner package=$pkg version=$version"
+          # Perform preflight upload using Basic auth directly
+          if curl -fS -L -X PUT \
+            -u "$auth_user:${GITEA_TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            --upload-file "$tmpfile" "$url" >/dev/null; then
+            echo "Preflight upload succeeded, cleaning up"
+          else
+            echo "Preflight upload failed" >&2
+            exit 1
+          fi
+          # Cleanup the uploaded dummy package version (best effort)
+          curl -sS -L -o /dev/null -w "  delete -> HTTP %{http_code}\n" \
+            -u "$auth_user:${GITEA_TOKEN}" -X DELETE \
+            "$server/api/packages/$owner/generic/$pkg/$version" || true
+      - name: Initialize submodules
+        run: |
+          set -e
+          git submodule update --init --recursive
+
+      - name: Build release (linux_amd64)
+        env:
+          GEN: ""
+        run: |
+          set -e
+          make -j"$(nproc)" release
+
+      - name: Find extension artifact
+        id: artifact
+        run: |
+          set -euo pipefail
+          path="$(ls -1 build/release/extension/${EXTENSION_NAME}/${EXTENSION_NAME}.duckdb_extension 2>/dev/null || true)"
+          if [ -z "$path" ]; then
+            path="$(find build/release -type f -name '*.duckdb_extension' | head -n 1 || true)"
+          fi
+          if [ -z "$path" ]; then
+            echo "Extension artifact not found" >&2
+            exit 1
+          fi
+          echo "file=$path" >> "$GITHUB_OUTPUT"
+          echo "Found: $path"
+
+      - name: Compute package version
+        id: ver
+        run: |
+          set -euo pipefail
+          version='${{ inputs.version }}'
+          if [ -z "$version" ]; then
+            if [ "${{ github.ref_type }}" = "tag" ]; then
+              version='${{ github.ref_name }}'
+            else
+              version="dev-${GITHUB_SHA::8}"
+            fi
+          fi
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+          echo "Using version: $version"
       - name: Upload to Gitea Packages (generic)
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          ACTOR: ${{ github.actor }}
         run: |
-          curl -fsSL -X PUT -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/octet-stream" --upload-file "$file" "$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1"
+          set -euo pipefail
+          : "${GITEA_TOKEN:?GITEA_TOKEN secret is required}"
+          # Derive server/owner/pkg from env if not provided
+          server="${GITHUB_SERVER_URL:-${{ github.server_url }}}"
+          owner="${GITHUB_REPOSITORY_OWNER:-${{ github.repository_owner }}}"
+          repo_full="${GITHUB_REPOSITORY:-${{ github.repository }}}"
+          pkg="${repo_full##*/}"
+          # Use previously computed version & artifact if available
+          version='${{ steps.ver.outputs.version }}'
+          file='${{ steps.artifact.outputs.file }}'
+          # Fallbacks if steps were skipped
+          if [ -z "${version}" ]; then
+            if [ -n "${GITHUB_REF_TYPE:-}" ] && [ "${GITHUB_REF_TYPE}" = "tag" ]; then
+              version="${GITHUB_REF_NAME:-dev-${GITHUB_SHA::8}}"
+            else
+              version="dev-${GITHUB_SHA::8}"
+            fi
+          fi
+          if [ -z "${file}" ]; then
+            file="$(ls -1 build/release/extension/${EXTENSION_NAME}/${EXTENSION_NAME}.duckdb_extension 2>/dev/null || true)"
+            if [ -z "$file" ]; then
+              file="$(find build/release -type f -name '*.duckdb_extension' | head -n 1 || true)"
+            fi
+          fi
+          [ -n "$server" ] || { echo "server not set" >&2; exit 1; }
+          [ -n "$owner" ] || { echo "owner not set" >&2; exit 1; }
+          [ -n "$pkg" ] || { echo "pkg not set" >&2; exit 1; }
+          [ -n "$version" ] || { echo "version not set" >&2; exit 1; }
+          [ -n "$file" ] || { echo "file not set" >&2; exit 1; }
+          # Normalize server using effective URL of /api/v1/version (handles http->https)
+          base_no_trail="$(echo "$server" | sed 's#/*$##')"
+          effective_version_url=$(curl -sS -L -o /dev/null -w '%{url_effective}' "$base_no_trail/api/v1/version" || echo "")
+          normalized_server=$(echo "$effective_version_url" | sed -E 's#^(https?://[^/]+).*$#\1#')
+          if [ -n "$normalized_server" ]; then
+            server="$normalized_server"
+          fi
+          # Use the GitHub actor as basic auth username by default
+          auth_user="${ACTOR:-$owner}"
+          name="$(basename "$file")"
+          url="$server/api/packages/$owner/generic/$pkg/$version/$name?replace=1"
+          echo "Uploading $file to $url"
+          echo "  auth user=$auth_user"
+
+          # Use Basic auth directly (works with package registry)
+          curl -fS -L -X PUT \
+            -u "$auth_user:${GITEA_TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            --retry 2 --retry-delay 2 --max-time 300 \
+            --upload-file "$file" "$url"
+          echo "Upload complete."