From f3d73c9160828b3c59b6c9e8b5bc169e46a070ea Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sat, 16 May 2026 20:35:51 -0400
Subject: [PATCH] ci: use REGISTRY_TOKEN PAT for container registry auth

The auto-provided GITEA_TOKEN doesn't grant write:package scope
in Gitea 1.25 even when permissions.packages: write is declared.
Switch registry logins to a dedicated PAT stored as REGISTRY_TOKEN.
Keep GITEA_TOKEN for semantic-release-gitea API calls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml           | 4 ++--
 .gitea/workflows/helm-release.yml | 2 +-
 .gitea/workflows/release-beta.yml | 6 +++---
 .gitea/workflows/release.yml      | 6 +++---
 .gitea/workflows/rollback.yml     | 2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 74e0e57..12abb11 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -60,7 +60,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -92,7 +92,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
diff --git a/.gitea/workflows/helm-release.yml b/.gitea/workflows/helm-release.yml
index e022893..452726b 100644
--- a/.gitea/workflows/helm-release.yml
+++ b/.gitea/workflows/helm-release.yml
@@ -31,7 +31,7 @@ jobs:
 
       - name: Log in to Gitea OCI registry
         run: |
-          echo "${{ secrets.GITEA_TOKEN }}" | helm registry login git.farh.net \
+          echo "${{ secrets.REGISTRY_TOKEN }}" | helm registry login git.farh.net \
             --username "${{ github.actor }}" \
             --password-stdin
 
diff --git a/.gitea/workflows/release-beta.yml b/.gitea/workflows/release-beta.yml
index 9bbd5e2..e91064e 100644
--- a/.gitea/workflows/release-beta.yml
+++ b/.gitea/workflows/release-beta.yml
@@ -63,7 +63,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -94,7 +94,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -126,7 +126,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Inspect worker image
         id: inspect-worker
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 18ac2a0..ca159d5 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -78,7 +78,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push worker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -112,7 +112,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
@@ -146,7 +146,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Inspect worker image
         id: inspect-worker
diff --git a/.gitea/workflows/rollback.yml b/.gitea/workflows/rollback.yml
index c4c34bd..0d9637d 100644
--- a/.gitea/workflows/rollback.yml
+++ b/.gitea/workflows/rollback.yml
@@ -79,7 +79,7 @@ jobs:
         with:
           registry: git.farh.net
           username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Verify Docker image tag exists
         run: docker buildx imagetools inspect "git.farh.net/farhoodlabs/trebuchet:${{ steps.target.outputs.version }}"