From 3590c356a48867e629c71e6290a9f2eeb1db6003 Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Wed, 10 Jun 2026 08:18:32 +0200
Subject: [PATCH] fix(ci): registry login via REGISTRY_TOKEN PAT

The per-job GITHUB_TOKEN is no longer accepted by the container registry's
/v2/ basic-auth endpoint since the act_runner -> gitea/runner switch (login
fails 'unauthorized' before push). Use a personal access token with package
read+write scope, provided as the REGISTRY_TOKEN repo secret.
---
 .gitea/workflows/ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index a8afedd..bb2a651 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -69,8 +69,12 @@ jobs:
           - { name: operator, dir: apps/operator }
     steps:
       - uses: actions/checkout@v4
+      # REGISTRY_TOKEN is a Gitea personal access token with package read+write
+      # scope (repo Settings → Actions → Secrets). The per-job GITHUB_TOKEN
+      # stopped being accepted by the registry's /v2/ basic-auth endpoint after
+      # the act_runner → gitea/runner switch, so registry pushes use a PAT.
       - name: Registry login
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login git.lastcloud.io -u "${{ github.actor }}" --password-stdin
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.lastcloud.io -u "${{ github.actor }}" --password-stdin
       - name: Build + push
         run: |
           IMG=git.lastcloud.io/ronnibaslund/dezky/${{ matrix.app.name }}