From 7549aa6c906ae715a6c6c5a461dccbfd15a745c5 Mon Sep 17 00:00:00 2001
From: Emma Thorpe <emma.thorpe@citrix.com>
Date: Thu, 11 Jun 2026 16:31:32 +0100
Subject: [PATCH] fix: authenticate to container registry with a package-scoped
 PAT

The auto-provided GITEA_TOKEN does not carry container registry write
permission on most Gitea instances, causing docker login to fail with
"unauthorized". Use a Personal Access Token supplied via the
PACKAGES_TOKEN secret, with the package namespace owner as the username.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-and-publish.yml |  7 +++++--
 README.md                              | 11 ++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/build-and-publish.yml b/.gitea/workflows/build-and-publish.yml
index c58d334..38ed3f9 100644
--- a/.gitea/workflows/build-and-publish.yml
+++ b/.gitea/workflows/build-and-publish.yml
@@ -23,13 +23,16 @@ jobs:
       - name: Set up Buildx
         uses: docker/setup-buildx-action@v3
 
+      # Uses a Personal Access Token with package read/write scope, stored as
+      # the PACKAGES_TOKEN secret. The auto-provided GITEA_TOKEN does not carry
+      # container-registry write permission on most Gitea instances.
       - name: Log in to the Gitea container registry
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.PACKAGES_TOKEN }}
 
       - name: Extract image metadata
         id: meta
diff --git a/README.md b/README.md
index 6abb542..ca4ed26 100644
--- a/README.md
+++ b/README.md
@@ -46,9 +46,14 @@ docker run --rm -p 8080:8080 dlr
 
 `.gitea/workflows/build-and-publish.yml` builds the container with Gitea Actions
 and publishes it to this Gitea instance's container registry on pushes to `main`
-and on `v*` tags. Pull requests build the image but do not push. Authentication
-uses the automatically provided `GITEA_TOKEN`; the registry host is derived from
-the Gitea server URL.
+and on `v*` tags. Pull requests build the image but do not push. The registry
+host is derived from the Gitea server URL.
+
+Authentication requires a Personal Access Token with package read/write scope,
+because the automatically provided `GITEA_TOKEN` does not carry container
+registry write permission on most Gitea instances. Create the token under an
+account with write access to the target package namespace, then store it as a
+repository Actions secret named `PACKAGES_TOKEN`.
 
 The published image is `<gitea-host>/<owner>/<repo>`, tagged by branch, semver
 (for `v*` tags), commit SHA, and `latest` on the default branch.