From 2e6cac3d5d075386cdcd342caf8fd910cd01715f Mon Sep 17 00:00:00 2001
From: Robert Helewka <r@helu.ca>
Date: Tue, 16 Jun 2026 08:53:31 -0400
Subject: [PATCH] ci: use PACKAGE_TOKEN for the registry login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GITEA_TOKEN is not set in these repos — the registry login sent a blank
password and Gitea's /v2/ endpoint returned unauthorized. Switch the
image-build login, the app template, and the README to PACKAGE_TOKEN, the
PAT the other repos already use (Syrinx pairs gitea.actor + PACKAGE_TOKEN
successfully). The PAT needs write:package here and read:package in app
repos.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/workflows/builder-image.yml | 2 +-
 README.md                          | 9 +++++----
 templates/build.yml                | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/builder-image.yml b/.gitea/workflows/builder-image.yml
index 9b0eaeb..d72a3d7 100644
--- a/.gitea/workflows/builder-image.yml
+++ b/.gitea/workflows/builder-image.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ gitea.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.PACKAGE_TOKEN }}
 
       - name: Set up Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/README.md b/README.md
index 21bf9ae..cf75522 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ jobs:
       image: git.helu.ca/r/android:2026.06
       credentials:
         username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
 ```
 
 The build task is selectable: `assembleRelease` (APK, the default) or
@@ -83,9 +83,10 @@ Signing happens at job time; nothing sensitive lives in the repo or the image.
 | `KEY_ALIAS`         | signing key alias |
 | `KEY_PASSWORD`      | key password |
 
-`GITEA_TOKEN` needs `write:package` here (to push) and `read:package` in app
-repos (to pull). The built-in token usually covers this; if your instance
-scopes it tightly, use a PAT.
+`PACKAGE_TOKEN` (a PAT, the same secret the other repos here use) needs
+`write:package` in this repo (to push the image) and `read:package` in app
+repos (to pull it). Set it as a repo or org-level Actions secret. The
+built-in `gitea.token` is not used because it isn't scoped for the registry.
 
 ## First-run sequencing
 
diff --git a/templates/build.yml b/templates/build.yml
index e5bef63..5d9a208 100644
--- a/templates/build.yml
+++ b/templates/build.yml
@@ -29,7 +29,7 @@ jobs:
       image: git.helu.ca/r/android:2026.06
       credentials:
         username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-- 
2.43.0