2026-06-16 12:54:14 +00:00
3 changed files with 7 additions and 6 deletions
--- a/.gitea/workflows/builder-image.yml
+++ b/.gitea/workflows/builder-image.yml
@@ -38,7 +38,7 @@ jobs:
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.PACKAGE_TOKEN }}
      - name: Set up Buildx
        uses: docker/setup-buildx-action@v3
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ jobs:
      image: git.helu.ca/r/android:2026.06
      credentials:
        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
 ```
 The build task is selectable: `assembleRelease` (APK, the default) or
@@ -83,9 +83,10 @@ Signing happens at job time; nothing sensitive lives in the repo or the image.
 | `KEY_ALIAS`         | signing key alias |
 | `KEY_PASSWORD`      | key password |
-`GITEA_TOKEN` needs `write:package` here (to push) and `read:package` in app
+`PACKAGE_TOKEN` (a PAT, the same secret the other repos here use) needs
-repos (to pull). The built-in token usually covers this; if your instance
+`write:package` in this repo (to push the image) and `read:package` in app
-scopes it tightly, use a PAT.
+repos (to pull it). Set it as a repo or org-level Actions secret. The
 built-in `gitea.token` is not used because it isn't scoped for the registry.
 ## First-run sequencing
--- a/templates/build.yml
+++ b/templates/build.yml
@@ -29,7 +29,7 @@ jobs:
      image: git.helu.ca/r/android:2026.06
      credentials:
        username: ${{ gitea.actor }}
-        password: ${{ secrets.GITEA_TOKEN }}
+        password: ${{ secrets.PACKAGE_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4