TehRiehlDeal/movieloop-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): read HARBOR_HOST from vars, not secrets
backend-ci / typecheck (push) Successful in 21s
Details
backend-ci / test (push) Successful in 23s
Details
backend-ci / lint (push) Successful in 25s
Details
backend-ci / build (push) Successful in 1m18s
Details
backend-ci / push (push) Successful in 1m37s
Details
backend-ci / secrets-scan (push) Successful in 5s
Details
backend-ci / sast (push) Successful in 9s
Details
backend-ci / fs-scan (push) Successful in 12s
Details

Browse Source 
HARBOR_HOST is configured as a Gitea Actions *variable*, not a
secret. Gitea (like GitHub) keeps the two stores separate — secrets.X
resolves to empty if X is a variable. Every prior CI failure on the
push job (docker/login-action exit 1, curl exit 6, docker login
falling back to registry-1.docker.io, the recent empty-check) was
the same root cause: secrets.HARBOR_HOST was always empty.

Switch the env binding to vars.HARBOR_HOST and drop the protocol-
strip defensive code that was added based on a wrong premise — the
value (harbor.tehriehldeal.com) is already a clean bare hostname.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kevin Riehl
2026-05-13 13:09:41 -07:00
parent b86a0915ef
commit 05651e4aca
1 changed files with 7 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+7 -15
View File
@@ -124,7 +124,9 @@ jobs:
needs: [build, secrets-scan, sast, fs-scan]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env:
HARBOR_HOST: ${{ secrets.HARBOR_HOST }}
# HARBOR_HOST is a Gitea Actions *variable* (not a secret) — vars and
# secrets are separate stores and don't cross over.
HARBOR_HOST: ${{ vars.HARBOR_HOST }}
HARBOR_PROJECT: movieloop
IMAGE_NAME: backend
steps:
@@ -138,22 +140,12 @@ jobs:
- name: Compute tag inputs
run: |
set -u
: "${HARBOR_HOST:?HARBOR_HOST secret is not set — provision it in Gitea before pushing.}"
# Strip protocol prefix and trailing slash in case the secret was
# pasted as a full URL. Override HARBOR_HOST in $GITHUB_ENV so
# every subsequent step (curl, docker login/push, cosign) gets
# the clean hostname — otherwise docker login silently falls
# back to docker.io with a malformed-auth-header error.
HARBOR_HOST="${HARBOR_HOST#https://}"
HARBOR_HOST="${HARBOR_HOST#http://}"
HARBOR_HOST="${HARBOR_HOST%/}"
: "${HARBOR_HOST:?HARBOR_HOST is empty — set it as a Gitea Actions variable (not a secret).}"
SHA_SHORT=$(git rev-parse --short HEAD)
VERSION=$(jq -r .version package.json)
echo "HARBOR_HOST=${HARBOR_HOST}" >> "$GITHUB_ENV"
echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV"
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
echo "Cleaned HARBOR_HOST=${HARBOR_HOST}"
echo "VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV"
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
echo "HARBOR_HOST=${HARBOR_HOST}, VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
- name: Refuse to overwrite an existing version tag in Harbor
env: