diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a62bcd3..7c77b74 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -88,7 +88,9 @@ jobs: needs: [build, secrets-scan, sast, fs-scan] if: github.event_name == 'push' && github.ref == 'refs/heads/main' env: - HARBOR_HOST: ${{ secrets.HARBOR_HOST }} + # HARBOR_HOST is a Gitea Actions *variable* (not a secret) — vars and + # secrets are separate stores and don't cross over. + HARBOR_HOST: ${{ vars.HARBOR_HOST }} HARBOR_PROJECT: movieloop IMAGE_NAME: frontend steps: @@ -102,22 +104,12 @@ jobs: - name: Compute tag inputs run: | set -u - : "${HARBOR_HOST:?HARBOR_HOST secret is not set — provision it in Gitea before pushing.}" - # Strip protocol prefix and trailing slash in case the secret was - # pasted as a full URL. Override HARBOR_HOST in $GITHUB_ENV so - # every subsequent step (curl, docker login/push, cosign) gets - # the clean hostname — otherwise docker login silently falls - # back to docker.io with a malformed-auth-header error. - HARBOR_HOST="${HARBOR_HOST#https://}" - HARBOR_HOST="${HARBOR_HOST#http://}" - HARBOR_HOST="${HARBOR_HOST%/}" + : "${HARBOR_HOST:?HARBOR_HOST is empty — set it as a Gitea Actions variable (not a secret).}" SHA_SHORT=$(git rev-parse --short HEAD) VERSION=$(jq -r .version package.json) - echo "HARBOR_HOST=${HARBOR_HOST}" >> "$GITHUB_ENV" - echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV" - echo "VERSION=${VERSION}" >> "$GITHUB_ENV" - echo "Cleaned HARBOR_HOST=${HARBOR_HOST}" - echo "VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}" + echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV" + echo "VERSION=${VERSION}" >> "$GITHUB_ENV" + echo "HARBOR_HOST=${HARBOR_HOST}, VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}" - name: Refuse to overwrite an existing version tag in Harbor env: