From f7fe2160899c6c123351b6a993e39ed4d76dcc71 Mon Sep 17 00:00:00 2001
From: Hendrik <hsiegeln@gmx.net>
Date: Fri, 17 Apr 2026 16:10:00 +0200
Subject: [PATCH] ci: use REGISTRY_TOKEN PAT for Gitea container registry login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auto-issued GITEA_TOKEN in Actions does not carry write:package scope,
so the docker login step failed with 'unauthorized'. Switching to a user-
supplied secret REGISTRY_TOKEN (PAT with write:package + read:package).

Setup on Gitea side:
1. Profile → Settings → Applications → Generate New Token
   with scopes write:package + read:package.
2. Repo → Settings → Actions → Secrets → add REGISTRY_TOKEN = <that PAT>.
   Optional: REGISTRY_USER if the owning account differs from gitea.actor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/docker.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/docker.yml b/.gitea/workflows/docker.yml
index 3a80c24..e9e8bd4 100644
--- a/.gitea/workflows/docker.yml
+++ b/.gitea/workflows/docker.yml
@@ -25,11 +25,16 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to Gitea container registry
+        # Uses a personal access token (PAT) with write:package scope.
+        # The default GITEA_TOKEN cannot push to the container registry.
+        # Create the PAT under User Settings → Applications, add it as a repo
+        # secret named REGISTRY_TOKEN, and (optionally) REGISTRY_USER if the
+        # owning account differs from ${{ gitea.actor }}.
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ gitea.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          username: ${{ secrets.REGISTRY_USER || gitea.actor }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Derive tags
         id: meta