fix(ci): clean HARBOR_HOST once and propagate via GITHUB_ENV

Mirror the backend fix: the pre-check cleaned HARBOR_HOST locally
but subsequent steps (docker login/push, cosign) saw the raw secret
with its https:// prefix, causing docker login to fall back to
docker.io. Do the cleanup once in Compute and write it to GITHUB_ENV
so every later step sees the same normalized value.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -101,10 +101,23 @@ jobs:
 
       - name: Compute tag inputs
         run: |
+          set -u
+          : "${HARBOR_HOST:?HARBOR_HOST secret is not set — provision it in Gitea before pushing.}"
+          # Strip protocol prefix and trailing slash in case the secret was
+          # pasted as a full URL. Override HARBOR_HOST in $GITHUB_ENV so
+          # every subsequent step (curl, docker login/push, cosign) gets
+          # the clean hostname — otherwise docker login silently falls
+          # back to docker.io with a malformed-auth-header error.
+          HARBOR_HOST="${HARBOR_HOST#https://}"
+          HARBOR_HOST="${HARBOR_HOST#http://}"
+          HARBOR_HOST="${HARBOR_HOST%/}"
           SHA_SHORT=$(git rev-parse --short HEAD)
           VERSION=$(jq -r .version package.json)
-          echo "SHA_SHORT=${SHA_SHORT}" >> "$GITHUB_ENV"
-          echo "VERSION=${VERSION}"     >> "$GITHUB_ENV"
+          echo "HARBOR_HOST=${HARBOR_HOST}" >> "$GITHUB_ENV"
+          echo "SHA_SHORT=${SHA_SHORT}"     >> "$GITHUB_ENV"
+          echo "VERSION=${VERSION}"         >> "$GITHUB_ENV"
+          echo "Cleaned HARBOR_HOST=${HARBOR_HOST}"
+          echo "VERSION=${VERSION}, SHA_SHORT=${SHA_SHORT}"
 
       - name: Refuse to overwrite an existing version tag in Harbor
         env:
@@ -112,12 +125,7 @@ jobs:
           HARBOR_PASSWORD: ${{ secrets.MOVIELOOP_PASSWORD }}
         run: |
           set -u
-          # Defensive: strip protocol prefix and trailing slash in case the
-          # HARBOR_HOST secret was pasted as a full URL.
-          host="${HARBOR_HOST#https://}"
-          host="${host#http://}"
-          host="${host%/}"
-          url="https://${host}/api/v2.0/projects/${HARBOR_PROJECT}/repositories/${IMAGE_NAME}/artifacts/${VERSION}/tags"
+          url="https://${HARBOR_HOST}/api/v2.0/projects/${HARBOR_PROJECT}/repositories/${IMAGE_NAME}/artifacts/${VERSION}/tags"
           echo "Checking: ${url}"
           code=$(curl -s -o /dev/null -w "%{http_code}" -u "${HARBOR_USERNAME}:${HARBOR_PASSWORD}" "${url}" || echo "000")
           echo "HTTP status: ${code}"
@@ -130,7 +138,7 @@ jobs:
               echo "Version ${VERSION} not yet published — proceeding."
               ;;
             000)
-              echo "::error::curl could not reach https://${host} (likely DNS or network). Check that the HARBOR_HOST secret is a bare hostname (no https://, no trailing slash) and that this runner can resolve it."
+              echo "::error::curl could not reach https://${HARBOR_HOST} (likely DNS or network). Verify this runner can resolve the host."
               exit 1
               ;;
             401|403)