From 7b60af21ae8a0432437d30ebdb79bedc33c6461c Mon Sep 17 00:00:00 2001
From: Kevin Riehl <kevinriehl@gmail.com>
Date: Wed, 13 May 2026 13:09:49 -0700
Subject: [PATCH] fix(ci): read HARBOR_HOST from vars, not secrets

Mirror the backend fix. HARBOR_HOST is a Gitea Actions variable, not
a secret; secrets.HARBOR_HOST was empty the whole time. Use
vars.HARBOR_HOST and drop the now-pointless protocol-strip defense.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index a62bcd3..7c77b74 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -88,7 +88,9 @@ jobs:
     needs: [build, secrets-scan, sast, fs-scan]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     env:
-      HARBOR_HOST: ${{ secrets.HARBOR_HOST }}
+      # HARBOR_HOST is a Gitea Actions *variable* (not a secret) — vars and
+      # secrets are separate stores and don't cross over.
+      HARBOR_HOST: ${{ vars.HARBOR_HOST }}
       HARBOR_PROJECT: movieloop
       IMAGE_NAME: frontend
     steps:
@@ -102,22 +104,12 @@ jobs:
       - name: Compute tag inputs
         run: |
           set -u
-          : "${HARBOR_HOST:?HARBOR_HOST secret is not set — provision it in Gitea before pushing.}"
-          # Strip protocol prefix and trailing slash in case the secret was
-          # pasted as a full URL. Override HARBOR_HOST in $GITHUB_ENV so
-          # every subsequent step (curl, docker login/push, cosign) gets
-          # the clean hostname — otherwise docker login silently falls
-          # back to docker.io with a malformed-auth-header error.
-          HARBOR_HOST="${HARBOR_HOST#https://}"
-          HARBOR_HOST="${HARBOR_HOST#http://}"
-          HARBOR_HOST="${HARBOR_HOST%/}"
+          : "${HARBOR_HOST:?HARBOR_HOST is empty — set it as a Gitea Actions variable (not a secret).}"
           SHA_SHORT=$(git rev-parse --short HEAD)
           VERSION=$(jq -r .version package.json)
-          echo "HARBOR_HOST=${HARBOR_HOST}" >> "$GITHUB_ENV"
-          echo "SHA_SHORT=${SHA_SHORT}"     >> "$GITHUB_ENV"
-          echo "VERSION=${VERSION}"         >> "$GITHUB_ENV"
-          echo "Cleaned HARBOR_HOST=${HARBOR_HOST}"
-          echo "VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
+          echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV"
+          echo "VERSION=${VERSION}"     >> "$GITHUB_ENV"
+          echo "HARBOR_HOST=${HARBOR_HOST}, VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
 
       - name: Refuse to overwrite an existing version tag in Harbor
         env: