TehRiehlDeal/movieloop-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): read HARBOR_HOST from vars, not secrets
frontend-ci / secrets-scan (push) Successful in 5s
Details
frontend-ci / sast (push) Successful in 9s
Details
frontend-ci / fs-scan (push) Successful in 11s
Details
frontend-ci / typecheck (push) Successful in 14s
Details
frontend-ci / lint (push) Successful in 15s
Details
frontend-ci / build (push) Successful in 38s
Details
frontend-ci / push (push) Successful in 37s
Details

Browse Source 
Mirror the backend fix. HARBOR_HOST is a Gitea Actions variable, not
a secret; secrets.HARBOR_HOST was empty the whole time. Use
vars.HARBOR_HOST and drop the now-pointless protocol-strip defense.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kevin Riehl
2026-05-13 13:09:49 -07:00
parent b8e6672006
commit 7b60af21ae
1 changed files with 7 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+7 -15
View File
@@ -88,7 +88,9 @@ jobs:
needs: [build, secrets-scan, sast, fs-scan] needs: [build, secrets-scan, sast, fs-scan]
if: github.event_name == 'push' && github.ref == 'refs/heads/main' if: github.event_name == 'push' && github.ref == 'refs/heads/main'
env: env:
HARBOR_HOST: ${{ secrets.HARBOR_HOST }} # HARBOR_HOST is a Gitea Actions *variable* (not a secret) — vars and
# secrets are separate stores and don't cross over.
HARBOR_HOST: ${{ vars.HARBOR_HOST }}
HARBOR_PROJECT: movieloop HARBOR_PROJECT: movieloop
IMAGE_NAME: frontend IMAGE_NAME: frontend
steps: steps:
@@ -102,22 +104,12 @@ jobs:
- name: Compute tag inputs - name: Compute tag inputs
run: | run: |
set -u set -u
: "${HARBOR_HOST:?HARBOR_HOST secret is not set — provision it in Gitea before pushing.}" : "${HARBOR_HOST:?HARBOR_HOST is empty — set it as a Gitea Actions variable (not a secret).}"
# Strip protocol prefix and trailing slash in case the secret was
# pasted as a full URL. Override HARBOR_HOST in $GITHUB_ENV so
# every subsequent step (curl, docker login/push, cosign) gets
# the clean hostname — otherwise docker login silently falls
# back to docker.io with a malformed-auth-header error.
HARBOR_HOST="${HARBOR_HOST#https://}"
HARBOR_HOST="${HARBOR_HOST#http://}"
HARBOR_HOST="${HARBOR_HOST%/}"
SHA_SHORT=$(git rev-parse --short HEAD) SHA_SHORT=$(git rev-parse --short HEAD)
VERSION=$(jq -r .version package.json) VERSION=$(jq -r .version package.json)
echo "HARBOR_HOST=${HARBOR_HOST}" >> "$GITHUB_ENV" echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV"
echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV" echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
echo "VERSION=${VERSION}" >> "$GITHUB_ENV" echo "HARBOR_HOST=${HARBOR_HOST}, VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
echo "Cleaned HARBOR_HOST=${HARBOR_HOST}"
echo "VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
- name: Refuse to overwrite an existing version tag in Harbor - name: Refuse to overwrite an existing version tag in Harbor
env: env: