From 18de9b8ebc9d524084a4a2f5e2e8f65d88abb57e Mon Sep 17 00:00:00 2001 From: Steve Dudenhoeffer Date: Sat, 27 Jun 2026 20:53:00 -0400 Subject: [PATCH] fix: source GITEA_TOKEN from github.token (auto) under explicit secret forwarding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The first attempt failed at entrypoint.sh:61 'GITEA_TOKEN required' — with explicit secrets (no `inherit`), secrets.GITEA_TOKEN resolves empty in the reusable job. github.token comes from the github context (not a forwarded secret), so it's present regardless. The forwarded provider/findings secrets arrived correctly; only the auto-token sourcing was wrong. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/review-reusable.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/review-reusable.yml b/.gitea/workflows/review-reusable.yml index 8cc0803..7480e67 100644 --- a/.gitea/workflows/review-reusable.yml +++ b/.gitea/workflows/review-reusable.yml @@ -80,7 +80,11 @@ jobs: env: # --- event context (from the CALLER's github.*) ------------------- GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }} - GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + # github.token is the auto job token from the github CONTEXT (not a + # secret), so it's present even without `secrets: inherit`. Using + # secrets.GITEA_TOKEN here would be empty under explicit secret + # forwarding, since the auto token isn't a forwarded workflow_call secret. + GITEA_TOKEN: ${{ github.token }} EVENT_NAME: ${{ github.event_name }} PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }} PR_BRANCH: ${{ github.head_ref }}